tags:

views:

318

answers:

6
+1  Q: 

What is the difference between a HTTP-Get and HTTP-POST and what is HTTP-POST security it weak.

Can anyone explain the difference between a HTTP-GET and HTTP-POST? And why do people say that a HTTP-POST is unsecured then a GET?

+1  A: 

Part 1 of your question is a duplicate of several previous questions:

http://stackoverflow.com/questions/506286/http-get-and-post

As for part 2 I'm not quite sure what you mean by POST being unsecured but a GET request is the less secure of the two considering that all of the form contents submitted over GET are displayed in the browser URL and then stored in server logs and browser history.

Cryo  2010-01-17 12:00:18
+9  A: 
Mike Weller  2010-01-17 12:04:35
+6  A: 

I wouldn't call POST more or less secure than GET. Admittedly parameters are displayed as part of the URL when using GET, so any sensitive data will be immediately visible to the user. However, it is trivial to view and even change any part of the HTTP request, so just because POST doesn't pass data through the URL it can still easily be read. Unless you're using HTTPS both GET and POST will transfer data in an easily accessible form.

Brian Rasmussen  2010-01-17 12:09:38
Good answer! +1
Willi  2010-01-17 12:24:32
A: 

The GET method is meant for data retrieval only and should not have any side-effects. But POST is meant for that specific purpose: altering data on the server side.

GET requests can easily be foreged (see Cross-Site Request Forgery) by just placing an image on a page while forging POST requests is not that easy (this is also a reason why you should only allow authorized POST requests).

Gumbo  2010-01-17 12:28:11
+3  A: 

The HTTP specification differentiates POST and GET in terms of their intent:

GET is idempotent: it is for obtaining a resource, without changing anything on the server. As a consequence it should be perfectly safe to resubmit a GET request.

POST is not: it is for updating information on the server. It can therefore not be assumed that it is safe to re-submit the request which is why most browsers ask for confirmation when you hit refresh on a POST request.

In terms of security, no difference. POST is more obscure, perhaps, but that's a very different thing. Security needs to be added at another layer, for example SSL.

Brabster  2010-01-17 12:30:44
A: 

Here is the good article that explains HTTP POST and HTTP GET request
http://patelshailesh.com/index.php/http-get-and-http-post-in-asp-net

shailesh  2010-02-09 19:18:09

related questions

Mocking WebResponse's from a WebRequest
What's the best way to learn server RESTful code?
JAX-RS Frameworks
SOAP or REST
Are REST request headers encrypted by SSL?
REST in Java
REST type API for non web based applications, Is It a good idea?
Getting started with REST
Plain text passwords in Ruby on Rails using Restful_Authentication
Where WCF and ADO.Net Data services stand?
REST how to handle query parameters when put to resource?
Any way to handle Put and Delete verbs in ASP.Net MVC?
How do you implement resource "edit" forms in a RESTful way?
Friendly URLs for ASP.NET
Possible to create REST web service with ASP.NET 2.0
Strange Rails Authentication Issue
How to respond to an alternate URI in a RESTful web service
Guide to choosing between REST vs SOAP services?
guid REST URL for ado.net dataservice call?
RESTful web services and HTTP verbs
Calling REST web services from a classic asp page
Best way to write a RESTful service "client" in .Net?
Best Practices for securing a REST API / web service
Document or RPC based web services
Modify Address Bar URL in AJAX App to Match Current State