Reputation: 1
Why are Http GET requests used in web applications, although GET is considered 'insecure' compared to POST requests
I've been working with PHP for two years and have a question pertaining to the HTTP methods used for requests to web applications, specifically HTTP POST and HTTP GET.
I believe POST requests are more secure compared to GET requests.
But still people use GET requests, even though they are considered insecure.
Why is this so?
Upvotes: 0
Views: 1769
Answers (4)
Reputation: 554
To add to Don's answer, here's another link for more context: https://medium.com/@robert.broeckelmann/http-post-vs-get-is-one-more-secure-for-use-in-rest-apis-2469753121b0
Cyber Security departments of large banks are commonly guilty of propagating this misunderstanding. They share a dogmatic viewpoint that eschews GET requests. The only explanation they provide is of the form:
It's best practice! GET is insecure!'
GET is not inherently more insecure IMO.
It just serves a different purpose. If you use it for state-changing operations, you open the door to disguised urls in image tags that can be used for Cross-Site Request Forgery (CSRF) attacks.
For CSRF with POST requests, you need to have a properly constructed webform with hidden fields, submitted to the service provider (web application) using JavaScript, typically on click of a link or page load.
However, modern browsers have a Same-Origin Policy (SOP) that blocks scripts in one origin from accessing data from another origin.
where
originis a combination of scheme://domain:port
An attacker can obtain request parameters even for a POST request. Their not being revealed in the URL is an inconvenience to a shoulder-surfer, not a deterrent to a hacker.
The combination of using GET request to allow state-change on the app, and not requiring a script to execute the GET request is what makes it dangerous. Because the cookies are going through anyway.
A POST request in contrast is assumed to be state-changing on the app. And the combination of Same-Origin Policy, and Synchronizer tokens can prevent CSRF attacks.
I hope this adds some clarity to the debate.
Upvotes: 0
Reputation: 859
The question you need to answer is "In what way is POST more secure than GET" . Once you answer that question you won't have the first question.
User Roman Starkov does a great job at answering that question in "Is either GET or POST more secure than the other?"
You can check out the whole answer here, but here's the gist (taken from Roman's answer):
The GET request is marginally less secure than the POST request. Neither offers true "security" by itself; using POST requests will not magically make your website secure against malicious attacks by a noticeable amount. However, using GET requests can make an otherwise secure application insecure. The mantra that you "must not use GET requests to make changes" is still very much valid, but this has little to do with malicious behaviour.
Upvotes: 0
Reputation: 13
Simple answer is
GET is used when we want to pass the data which is not going to change (say static), addition to this Get is unsecured but it doesn't need any user input. For Searching mostly GET is used, best example is see you address bar (O.O) Its using GET.
POST method is Data which keeps changing, so in forms its mostly used, as the Data keep changing and may need security to post it to other page.
Upvotes: 0
Reputation: 4620
You use post for larger amounts of data, or data that you don't want to appear within the url. For instance, you don't want the url to delete a page, or create one, to appear in someones history. Neither do you want to save passwords in this way.
For search strings and such, you can easily use get. It allows users to copy a specific url, like a specific search reasult, or a link to the 5th page in a paginated list.
So, either are ok for their own purposes. The only thing you should remember is the maximum size of 8Kb for an url, including the get parameters.
Short answer:
Use GET requests when it makes sense for the user to be able bookmark the request, share the request, and come back to over and over again. It makes sense to be able to bookmark the result of a Google query, for example.
Longer answer:
Use GET requests when the user is simply fetching/viewing a resource, and doesn't have any significant side-effects on your website's data or on future requests. If the request is creating, modifying, or deleting something, it should be a POST. If the user is logging in to a website, that has effects on future requests, so it should be a POST, not a GET.
Note: Users can still change POST variables.
It's easier to for the user to change query string (GET) values, but it's not too difficult for the user to change POST values. Your website's security should take this into account! Using POST for security isn't really a valid reason, except for the fact that POST variables aren't part of the URL and aren't bookmarked, while GET variables are. This prevents users from accidentally sharing things like passwords when sharing links.
GET is better for things that should be able to be bookmarked, and simple queries with few, short parameters.
POST is better for sensitive fields that the user shouldn't see, for large binary transfers, and for transfers with many fields or very long fields.
Upvotes: 0
Related Questions
- Is either GET or POST more secure than the other?
- When should I use GET or POST method? What's the difference between them?
- What are the advantages of using a GET request over a POST request?
- What is the difference between GET and POST encryption?
- Why should I POST data rather than GET?
- Why we need GET and POST method in RestFul when GET can behave as POST also
- what are the vulnerabilities in direct use of GET and POST?
- Is it true that POST can be used instead of GET in all scenarios?
- Is it any safer to use POST instead of GET?
- Is there anything not good using POST instead of GET?