tags:

views:

3539

answers:

15
+19  Q: 

GET versus POST in terms of security?

This may be a dumb question, but between a http POST and GET, what are the differences from a security perspective? Is one inherently more secure then another? I realize that POST doesn't expose information on the URL but is there any real value in that or is it just security through obscurity? What is the best practice here?

Edit: Over https, POST data is encoded, but could urls be sniffed by a 3rd party? Additionally, I am dealing with JSP, but when using JSP or a similar framework, would it be fair to say the best practice is to avoid if at all possible placing sensitive data in the POST or GET and using server side code to handle sensitive information?

+1  A: 

It is harder to alter a POST request (it requires more effort than editing the query string). Edit: In other words, it's only security by obscurity, and barely that.

eyelidlessness  2008-10-13 18:10:01
I can alter POST requests just as easy as query string requests, using a few add ons for Firefox. i can even modify cookie data to my heart's content.
stephenbayer  2008-10-13 18:12:10
Yeah, not that much harder. Might slow the script kiddies down, but they're still out there.
Danimal  2008-10-13 18:14:49
it won't slow down script kiddies, it is exactly the type of thing script kiddies try all the time. The problem is that they sometimes succeed.
Jacco  2008-10-13 18:16:52
Uh. Using addons for Firefox = more effort than query string.
eyelidlessness  2008-10-13 18:18:49
Your answer will give people a false sense that they are being more secure when using a post, when in fact, they are not. Bad answer, bad man.
Chris Marasti-Georg  2008-10-13 18:27:16
I edited to make the intent of my answer more clear. Hopefully that helps.
eyelidlessness  2008-10-13 18:32:05
+2  A: 

There is a nice blog entry about this on Jeff's blog Coding Horror: Cross-Site Request Forgeries and You.

fhe  2008-10-13 18:10:56
+37  A: 

As far as security, they are inherently the same. While it is true that POST doesn't expose information via the URL, it exposes just as much information as a GET in the actual network communication between the client and server. If you need to pass information that is sensitive, your first line of defense would be to pass it using Secure HTTP.

GET or query string posts are really good for information required for either bookmarking a particular item, or for assisting in search engine optimization and indexing items.

POST is good for standard forms used to submit one time data. I wouldn't use GET for posting actual forms, unless maybe in a search form where you want to allow the user to save the query in a bookmark, or something along those lines.

stephenbayer  2008-10-13 18:11:03
With the caveat that for a GET the URL shown in the location bar can expose data that would be hidden in a POST.
tvanfosson  2008-10-13 18:29:02
It's hidden only in the most naive sense
davetron5000  2008-10-13 18:33:01
true, but you can also say that the keyboard is insecure because someone could be looking over your shoulder when your typing your password. There's very little difference between security through obscurity and no security at all.
stephenbayer  2008-10-14 14:59:29
As mentioned in this post, if data is going to be submitted and especially if it will be saved, it should not be using GET parameters. Thats one easy way for cross site scripting attacks to take place.
ghills  2009-08-19 04:38:46
The visibility (and caching) of querystrings in the URL and thus the address box is *clearly* less secure. There's no such thing as absolute security so degrees of security are relevant.
pbreitenbach  2009-08-19 05:06:15
@stephenbayer: Suppose that I need to send, say, order id to server to search for the corresponding order details, and then show it to the user for modification. If I use "GET", the order id will be exposed, and if the user is clever enough, he/she may change the order id in the url, which will allow him/her to see orders from other users. What should I do in that case ?
Night Shade  2010-03-19 14:31:33
it's even exposed if you use a post. in your case, the post would be slightly more secure. But seriously.. I can change post variables all day long, just as easy as get variables. Cookies can even be viewed and modified.. never rely on the information you're site is sending in any way shape or form. The more security you need, the more verification methods you should have in place.
stephenbayer  2010-03-21 14:35:23
@Night Shade. How about validating that the order belongs to the user before displaying it? If the user is "clever enough" (read, if they can install any of the gazillion browser plugins that allow you modifiy the http request at will), POST doesn't buy you anything.
Juan Pablo Califano  2010-10-02 01:56:03
+13  A: 

There is no added security.

Post data does not show up in the history and/or log files but if the data should be kept secure, you need SSL.
Otherwise, anybody sniffing the wire can read your data anyway.

Jacco  2008-10-13 18:11:20
SSL encodes POST data but a GET url is unencoded correct?
James McMahon  2008-10-13 18:26:03
if you GET a URL over SSL, a third party will not be able to see the URL, so the security is the same
davetron5000  2008-10-13 18:33:50
that's correct, nemo. Obviously users can still see the data in the URL.
Eric Wendelin  2008-10-13 18:34:20
GET information can only be seen at the start and end of the SSL tunnel
Jacco  2008-10-13 18:35:54
And the sys admins when they grep trough the log files.
Tomalak  2008-10-13 18:36:15
I would say there is *some* added security in that POST data won't be stored in the user's browser history, but GET data will.
Kip  2008-10-13 20:16:21
I think that my definition of 'security' is different from some people here
Jacco  2008-10-16 09:47:16
+3  A: 

My usual methodology for choosing is something like:

  • GET for items that will be retrieved later by URL
    • E.g. Search should be GET so you can do search.php?s=XXX later on
  • POST for items that will be sent
    • This is relatively invisible comapred to GET and harder to send, but data can still be sent via cURL.
Ross  2008-10-13 18:11:50
anybody can send POST data: <form method="POST" action="http://whatever.com">
Jacco  2008-10-13 18:12:57
But it *is* harder to do a POST than a GET. A GET is just a URL in the address box. A POST requires a <form> in an HTML page or cURL.
pbreitenbach  2009-08-19 05:10:20
So a fake post takes notepad and 5 minutes of time... not really much harder. I have used notepad to add features to a phone system that didn't exist. I was able to create a copy of the admin forms for the system that would allow me to assign commands to buttons that "were not possible" as far the vendor was concerned.
Matthew Whited  2009-11-16 19:50:53
+5  A: 

Even if POST gives no real security benefit versus GET, for login forms or any other form with relatively sensitive information, make sure you are using POST as:

  1. The information POSTed will not be saved in the user's history.
  2. The sensitive information (password, etc.) sent in the form will not be visible later on in the URL bar (by using GET, it will be visible in the history and the URL bar).

Also, GET has a theorical limit of data. POST doesn't.

For real sensitive info, make sure to use SSL (HTTPS)

Andrew Moore  2008-10-13 18:16:19
for 1. Browser often, for the convenience of users, save information posted in form fields.
Kibbee  2008-10-13 18:37:23
@Kibbee: By spec, they shouldn't. The major browsers doesn't save that information.
Andrew Moore  2008-10-13 18:41:59
In the default settings, every time I enter a username and password in firefox / IE, it asks me if I want to save this information, specifically so I won't have to type it in later.
Kibbee  2008-10-13 18:50:08
Andrew I think he means auto complete on user input fields. For instance, Firefox remembers all data I enter in my website, so when I begin to type text into a search box it will offer to complete the text with my previous searches.
James McMahon  2008-10-13 18:51:20
Yes, well, that's the point of auto-complete, isn't it. What I meant was the actually history, not auto-complete.
Andrew Moore  2008-10-13 20:11:05
A: 

GET is visible to anyone (even the one on your shoulder now) and is saved on cache, so is less secure of using post, btw post without some cryptographics routine is not sure, for a bit of security you've to use SSL (https)

kentaromiura  2008-10-13 18:17:48
+1  A: 

Many people adopt a convention (alluded to by Ross) that GET requests only retrieve data, and do not modify any data on the server, and POST requests are used for all data modification. While one is not more inherently secure than the other, if you do follow this convention, you can apply cross-cutting security logic (e.g. only people with accounts can modify data, so unauthenticated POSTs are rejected).

Eric Rath  2008-10-13 18:19:05
Actually it isn't a "convention" it's part of the HTTP standard. The RFC is very explicit in what to expect from the different methods.
John Nilsson  2008-10-13 20:01:30
+6  A: 

Neither one of GET and POST is inherently "more secure" than the other, just like neither one of fax and phone is "more secure" than the other. The various HTTP methods are provided so that you can choose the one which is most appropiate for the problem you're trying to solve. GET is more appropiate for idempotent queries while POST is more appropiate for "action" queries, but you can shoot yourself in the foot just as easily with any of them if you don't understand the security architecture for the application you're maintaining.

It's probably best if you read Chapter 9: Method Definitions of the HTTP/1.1 RFC to get an overall idea of what GET and POST were originally envisioned ot mean.

Mihai Limbășan  2008-10-13 18:37:44
A: 

This isn't security related but... browsers doesn't cache POST requests.

Daniel Silveira  2008-10-13 19:05:06
+4  A: 

The difference between GET and POST should not be viewed in terms of security, but rather in their intentions towards the server. GET should never change data on the server - at least other than in logs - but POST can create new resources.

Nice proxies won't cache POST data, but they may cache GET data from the URL, so you could say that POST is supposed to be more secure. But POST data would still be available to proxies that don't play nicely.

As mentioned in many of the answers, the only sure bet is via SSL.

But DO make sure that GET methods do not commit any changes, such as deleting database rows, etc.

ruquay  2008-10-13 20:05:23
I agree with this. The question is not security, it's what POST and GET are designed to do.
pbreitenbach  2009-08-19 05:16:46
+2  A: 

Neither one magically confers security on a request, however GET implies some side effects that generally prevent it from being secure.

GET URLs show up in browser history and webserver logs. For this reason, they should never be used for things like login forms and credit card numbers.

However, just POSTing that data doesn't make it secure, either. For that you want SSL. Both GET and POST send data in plaintext over the wire when used over HTTP.

There are other good reasons to POST data, too - like the ability to submit unlimited amounts of data, or hide parameters from casual users.

The downside is that users can't bookmark the results of a query sent via POST. For that, you need GET.

edebill  2008-10-13 20:11:32
+1  A: 

I'm not about to repeat all the other answers, but there's one aspect that I haven't yet seen mentioned - it's the story of disappearing data. I don't know where to find it, but...

Basically it's about a web application that mysteriously every few night did loose all its data and nobody knew why. Inspecting the Logs later revealed that the site was found by google or another arbitrary spider, that happily GET (read: GOT) all the links it found on the site - including the "delete this entry" and "are you sure?" links.

Actually - part of this has been mentioned. This is the story behind "don't change data on GET but only on POST". Crawlers will happily follow GET, never POST. Even robots.txt doesn't help against misbehaving crawlers.

Olaf  2008-10-14 19:19:05
+1  A: 

  1. SECURITY as safety of data IN TRANSIT: no difference between POST and GET.

  2. SECURITY as safety of data ON THE COMPUTER: POST is safer (no URL history)

 2009-08-19 04:36:35
+6  A: 

Alright, I have read all of these answers and I see one blatantly missing piece of information:

If a GET request changes data, a confused deputy attack is possible.

Consider this URL:

http://example.com/do.php?action=delete&id=1

Now, let's for example imagine that someone wanted to delete ID #3. What would be the easies attack vector? Clearly, with sufficient security, the Attacker could not get that URL to do anything.

However, consider this. The attacker finds out who the admin of the site is, follows him onto a forum somwhere and posts this in the forums under a topic about the target site:

<img src="http://example.com/do.php?action=delete&amp;id=3" />

Your browser becomes a confused deputy, executing the delete command under your credentials.

So, the rule is: Don't use 'GET' Requests to Modify Data

In terms of actual data security, however, neither is particularly secure. Use SSL.

John Gietzen  2009-11-16 19:43:20
+1 for correct answer, what the hell people
BlueRaja - Danny Pflughoeft  2010-01-09 01:49:18

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?