Reputation: 1143
Is it safe to send user email in a GET request?
I want to retrieve data from an applications back-end. I have to send the user's email via an API request from the front-end website in order to do this.
Is it good practice to send the user email in a GET request or a POST request? More specifically, is it good practice to not include a users email as a URL parameter because you don't want some other third party to see it?
Thanks
Upvotes: 8
Views: 17687
Answers (3)
Reputation: 2367
Never use any personally identifying information in a url or query string. Use a identifier unique to that context, session, or state, such as a UUID that correlates to the personally identifying information elsewhere.
What verb you use (GET, POST, etc.) will determine the functionality the receiver (server) supports traditionally. An example would be GET vs. POST where using a POST verb the server would allow you to pass a "body" as part of the HTTP request payload allowing you to send additional information beyond the query string. This is per the spec.
You can in fact (and preferably) use HTTP headers to pass your authentication based information such as a JWT token for all HTTP verbs given the client (which is almost all) support it.
At the end of the day when making an HTTP request you are sending a single unit of work as the "request" which is a plaintext payload that conforms to the HTTP spec and combines headers, body, etc... in to it.
Upvotes: 0
Reputation: 42304
You'll absolutely want to make use of POST requests rather than GET requests for querying email addresses, as GET requests should never be used for sending sensitive information.
Bearing that in mind, you also have to take into consideration what you're doing with your endpoint to begin with. If you're simply requesting public information about an email address (such as resolving the server name or IP), then perhaps a GET request would suffice.
Keep in mind you cannot pass any authorisation headers with a GET request, so if you're querying something like whether the email address in question has a registered account on your website, anyone would be able to find out your user's email addresses by spamming requests until they got a 200 response (thus validating a registered email). And knowing a valid user's email address could serve as an attack vector at a later stage.
In short, you most likely want POST. Only use GET if you're purely querying information about the domain that the email is hosted on.
Upvotes: 9
Reputation: 4138
Well, POST-request is better for hiding GET-params from logs. The best you could do - is encrypt data being transferred. You can use POST-request with SSL-encryption and it will be good enough for regular systems.
Upvotes: 5
Related Questions
- Should email verification be GET or POST?
- HTTP: Why is it wrong to send a username and password in a get request?
- Sending Personal Information in GET String
- Security: Sending email address in a url parameter
- PHP sending GET request through email securely
- Security - is it ok to send a username and password via HTTP GET?
- Is it a bad practice using email address in GET requests in Hypermedia API
- Is it ok to send login details over GET request using SSL
- HTTP 'Get' Security
- Is it ok to use GET urls in confirmation or verification emails for user accounts?