WebApp Sec mailing list archives
Re: When GET = POST?
From: Jonas Anden <jonas.anden () aptilo com>
Date: 10 Nov 2002 16:25:34 +0100
There are two reasons to consider using POST vs GET methods that come to
mind from a developer perspective.
1. Obfuscation: POST hides the variables from the URL that can be
easily seen in any web browser. This makes any possible attacker have to
work harder to check what variables and data types are passed in a post
form.
2. Amount of data and non-text data types: You can not pass binary
data in the query string of a URL. Additionally, the HTTP RFCs limit the
amount of data that can be passed in a GET header significantly to that
in a POST header.
Actually, I consider the biggest reason for using POST instead of GET is that since GET requests are part of the URL, they are generally logged. Consider the case where you pass sensitive data such as credit card numbers through a GET request. Doesn't matter how well you encrypt your database or your session, the credit card numbers still appear in clear text in the web server logs. // J
Current thread:
- When GET = POST? Chris Thomas (Nov 08)
- Re: When GET = POST? Alonso Robles (Nov 09)
- Re: When GET = POST? Jonas Anden (Nov 10)
- Re: When GET = POST? Vincent Janelle (Nov 10)
- Re: When GET = POST? Jonas Anden (Nov 10)
- Re: When GET = POST? David Bullock (Nov 09)
- RE: When GET = POST? Tony Welsh (Nov 09)
- Re: When GET = POST? Adrian Wiesmann (Nov 10)
- Re: When GET = POST? Kevin Spett (Nov 11)
- Re: When GET = POST? Jason Childers (Nov 11)
- Re: When GET = POST? Charles Miller (Nov 11)
- Re: When GET = POST? Jeff Dafoe (Nov 11)
- Re: When GET = POST? Jason Healy (Nov 11)
- Re: When GET = POST? Kevin Spett (Nov 12)
- Re: When GET = POST? Jeff Dafoe (Nov 11)
(Thread continues...)
- Re: When GET = POST? Alonso Robles (Nov 09)