Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

GET vs POST in REST Web Service

Tags:

rest

I'm in the process of developing a REST service that allows a user to claim their listing based on a couple of pieces of information that appear on their invoice (invoice number and billing zip).

I've read countless articles and Stack Overflow questions about when to use GET and when to use POST. Overall, the common consensus is that GET should be used for idempotent operations and POST should be used for operations that create something on the server side. However, this article:

http://blog.teamtreehouse.com/the-definitive-guide-to-get-vs-post

has caused me to question using GET for this particular scenario, simply because of the fact that I'm using these 2 pieces of information as a mechanism to validate the identity of the user. I'm not updating anything on the server using this particular method call, but I also don't necessarily want to expose the information in the URL.

This is an internal web service and only the front-end that calls the service is publicly exposed, so I don't have to worry about the URL showing up in a user's browser history. My only concern would be the unlikely event that someone gain server log access, in which case, I'd have bigger problems.

I'm leaning toward POST for security reasons; however, GET feels like the correct method due to the fact that the request is idempotent. What is the recommended method in this case?

like image 710
Luke Avatar asked Apr 16 '13 20:04

Luke


People also ask

What is the difference between GET and POST IN REST?

Get is simple to use because of its nature of appending data to URL only. Post requires header information, body, etc which makes it hard to use as compared with Get request.

What is the difference between GET and POST method in web service?

Both GET and POST method is used to transfer data from client to server in HTTP protocol but Main difference between POST and GET method is that GET carries request parameter appended in URL string while POST carries request parameter in message body which makes it more secure way of transferring data from client to ...

What is the difference between HTTP GET and POST?

In GET method we can not send large amount of data rather limited data is sent because the request parameter is appended into the URL. In POST method large amount of data can be sent because the request parameter is appended into the body.

What is POST and GET in API?

Although POST and GET are the most commonly used HTTP request methods, they have many differences. While the HTTP POST method is used to send data to a server to create or update a resource, the HTTP GET method is used to request data from a specified resource and should have no other effect.


1 Answers

Independently of POST vs GET, I would recommend NOT basing your security as something as simple as a zip code and an invoice number. I would bet on the fact that invoice numbers are sequential (or close), and there aren't that many zip codes around - voila, I got full access to your listings.

If you're using another authentication method (typically in HTTP header), then you're good - it doesn't matter if you have an invoice number if the URL, so might as well use GET.

If you're not, then I guess POST isn't as bad as GET in term of exposing confidential content.

like image 191
ptyx Avatar answered Sep 27 '22 18:09

ptyx