Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is it safe to send user email in a GET request?

Tags:

http

security

get

I want to retrieve data from an applications back-end. I have to send the user's email via an API request from the front-end website in order to do this.

Is it good practice to send the user email in a GET request or a POST request? More specifically, is it good practice to not include a users email as a URL parameter because you don't want some other third party to see it?

Thanks

like image 320
Nicholas Avatar asked Dec 23 '22 05:12

Nicholas


1 Answers

You'll absolutely want to make use of POST requests rather than GET requests for querying email addresses, as GET requests should never be used for sending sensitive information.

Bearing that in mind, you also have to take into consideration what you're doing with your endpoint to begin with. If you're simply requesting public information about an email address (such as resolving the server name or IP), then perhaps a GET request would suffice.

Keep in mind you cannot pass any authorisation headers with a GET request, so if you're querying something like whether the email address in question has a registered account on your website, anyone would be able to find out your user's email addresses by spamming requests until they got a 200 response (thus validating a registered email). And knowing a valid user's email address could serve as an attack vector at a later stage.

In short, you most likely want POST. Only use GET if you're purely querying information about the domain that the email is hosted on.

like image 67
Obsidian Age Avatar answered Dec 27 '22 07:12

Obsidian Age