[thelist] Security of Post vs Get

Ken Schaefer ken.schaefer at gmail.com
Tue Aug 24 18:41:38 CDT 2004


On Tue, 24 Aug 2004 22:13:14 +0100, Richard Davey <rich at launchcode.co.uk> wrote:
> Hello Hershel,
> 
> Tuesday, August 24, 2004, 6:26:35 PM, you wrote:
> 
> HR> I have a page which makes a call to the server and loads the resultant page
> HR> into a hidden iframe, then operating on the data loaded there.
> 
> HR> Are there grounds to suggest that using a form and method="POST" would be
> HR> more secure than a GET or just building a URL with JavaScript and submitting
> HR> that?
> 
> The security isn't in the method you use to transport the data, it is
> in the script that receives it - it matters not if its a GET or POST,
> if the receiving script doesn't sufficiently validate the data (and/or
> source of data) it's hackable regardless.


I disagree. Hershel mentioned that this is a "secure" site. Presumably
this means that the site is secured using a server certificate and
served over HTTPS

When using HTTPS the actual URI requested is *not* encrypted. This is
passed as plain text to the server. Everything else is encrypted,
included all other HTTP headers (which in turn includes the POSTed
data).

So, from the perspective of securing the transmission of the data from
the client to the server, using POST to transmit form field values is
more secure than using GET.

WRT to securing the information on the client, or on the server, then
GET -vs- POST is largely a moot point.

Cheers
Ken


More information about the thelist mailing list