Menu
Genaral practice is when you login, or do something else that requires your username and password, you send it in the body of post request. Also for added security https should be used.
In get request these parameters are sent as a part of URL. But in https both body and headers are encrypted, as i understand.
So in theory, whether you use https post or get for sending, your data are safe..., in one case attacker will have to decript your header and in other your body.
So my question is, if this is all true, how is post more secure?
516
Aside what others have already written there is an additional point, that in webservers logsfiles most often the entire url is being logged, so anyone with access to the logfiles can read the login credentials. Furthermore, if there is some traffic analysis tool on the page (say i.e. google analytics or whatever) then the calling url is being reported there as well -> also those people can read the login credentials (and they may even apears in the traffic analysis).
129
GET is recorded at browser's history. Someone might look in your surf history and see your password.
25
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
