Menu
Can anyone explain the difference between a HTTP-GET and HTTP-POST? And why do people say that a HTTP-POST is weaker in terms of security?
464
In GET method, values are visible in the URL. In POST method, values are not visible in the URL. GET has a limitation on the length of the values, generally 255 characters. POST has no limitation on the length of the values since they are submitted via the body of HTTP.
The GET request is marginally less secure than the POST request. Neither offers true "security" by itself; using POST requests will not magically make your website secure against malicious attacks by a noticeable amount. However, using GET requests can make an otherwise secure application insecure.
POST is more secure than GET for a couple of reasons. GET parameters are passed via URL. This means that parameters are stored in server logs, and browser history. When using GET, it makes it very easy to alter the data being submitted the the server as well, as it is right there in the address bar to play with.
In an HTTP GET request, key/value pairs are specified in the URL:
http://server/something?value1=foo&value2=bar.
In an HTTP POST request, key/value pairs are sent as part of the HTTP request after the headers. For example:
POST /something HTTP/1.1 Host: server Content-Length: 21 Content-Type: application/x-www-form-urlencoded value1=foo&value2=bar
It's hard to really describe one as being more or less secure than the other, but HTTP POST data is not visible in the URL, and when submitting data to a website, an HTTP POST can usually only be performed as a result of user interaction (for example clicking on a "Submit" button).
This means a user can't be tricked into visiting a URL like http://server/update_profile?name=I_suck and sensitive data is not exposed in the URL.
You can also use nonces and other anti-forgery tokens with html forms (which use POST) to prevent other forms of cross-site request forgeries.
In general, POST should be used for requests that potentially modify state on the server, and GET should be used for read-only operations.
116
The HTTP specification differentiates POST and GET in terms of their intent:
GET is idempotent: it is for obtaining a resource, without changing anything on the server. As a consequence it should be perfectly safe to resubmit a GET request.
POST is not: it is for updating information on the server. It can therefore not be assumed that it is safe to re-submit the request which is why most browsers ask for confirmation when you hit refresh on a POST request.
In terms of security, no difference. POST is more obscure, perhaps, but that's a very different thing. Security needs to be added at another layer, for example SSL.
34
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
