Reputation: 3146
Sending passwords over HTTPS: GET vs POST
I'm creating a headless API that's going to drive an Angular front end. I'm having a bit of trouble figuring out how I should handle user authentication though.
Obviously the API should run over SSL, but the question that's coming up is how should I send the request that contains the user's password: over GET or POST. It's a RESTFUL API, so what I'm doing is retrieving information meaning it should get a GET request. But sending the password over get means it's part of the URI, right? I know even a GET request is encrypted over HTTPS, but is that still the correct way? Or is this a case to break from RESTFUL and have the data in the body or something (can a GET request have data in the body?).
Upvotes: 7
Views: 12340
Answers (3)
Reputation: 1396
If you pass the credentials in a request header, you will be fine with either a GET or POST request. You have the option of using the established Authorization header with your choice of authentication scheme, or you can create custom headers that are specific to your API.
When using header fields as a means of communicating credentials, you do not need to fear the credentials being written to the access log as headers are not included in that log. Using header fields also conforms to REST standards, and should actually be utilized to communicate any meta-data relevant to the resource request/response. Such meta-data can include, but is not limited to, information like: collection size, pagination details, or locations of related resources.
In summary, always use header fields as a means of authentication/authorization.
Upvotes: 6
Reputation: 7575
You could send a data body with a get request too but this isn't supported by all libraries I guess.
Better to use POST or request headers. Look at other APIs and how they are handling it.
But you could still use GET with basic authentication like here: http://restcookbook.com/Basics/loggingin/
Upvotes: 1
Reputation: 20137
mostly GET request will bind data in URL itself... so it is more redable than POST.. so if it is GET, there is a possibility to alive HISTORY LOG
Using ?user=myUsername&pass=MyPasswort is exactly like using a GET based form and, while the Referer issue can be contained, the problems regarding logs and history remain.
Sending any kind of sensitive data over GET is dangerous, even if it is HTTPS. These data might end up in log files at the server and will be included in the Referer header in links to or includes from other sides. They will also be saved in the history of the browser so an attacker might try to guess and verify the original contents of the link with an attack against the history.
Upvotes: 3
Related Questions
- What is the difference between a HTTP-Get and HTTP-POST and why is HTTP-POST weaker in terms of security
- Is either GET or POST more secure than the other?
- What is the difference between GET/POST in HTTP or HTTPS requests?
- What is the difference between GET and POST encryption?
- Should I use GET or POST when requesting sensitive data?
- with https are GET requests less secure than Post Requests
- GET vs. POST in Session Validation
- is sending a password in JSON over HTTPS considered secure?
- Sanity Check: SSL+ POST vs. un-encrypted GET
- How to send securely passwords via GET/POST?