[thelist] Security of Post vs Get
Matt Warden
mwarden at gmail.com
Tue Aug 24 12:48:43 CDT 2004
On Tue, 24 Aug 2004 13:26:35 -0400, Hershel Robinson
<hershelr at netvision.net.il> wrote:
> I have a page which makes a call to the server and loads the resultant page
> into a hidden iframe, then operating on the data loaded there.
>
> Are there grounds to suggest that using a form and method="POST" would be
> more secure than a GET or just building a URL with JavaScript and submitting
> that?
People will generally say that POST is more 'secure' than GET. This is
mainly because on computers where multiple people use it, one might
try to revisit a page in the browser's history. With GET, the
variables are resubmitted, whereas if it were POST, they would not be
(and your application would be able to easily detect a request that
looked like a revisit, because it would have no POST data as
expected).
However, as far as malicious use goes, POST is no more secure than
GET. It takes minimally more effort to submit a malicious POST than it
does a GET.
--
Matt Warden
Miami University
Oxford, OH
http://mattwarden.com
This email proudly and graciously contributes to entropy.
More information about the thelist
mailing list