Reputation: 4023
What are the benefits in difference methods of CRUD operations?
When performing the CRUD operations, we can execute it with form as follows:
<form action="/todo/<%= todos[i]._id %>?_method=DELETE" method="POST">
<button>x</button>
</form>
And the controller as follows:
app.delete('/todo/:id', (req, res) => {
Todo.findByIdAndDelete(req.params.id, (err) => {
if(err) {
console.log(err);
} else {
res.redirect('/todo');
}
});
});
Or we can perform it using jQuery as follows:
$(document).ready(function(){
$('form').on('submit', function(){
var item = $('form input');
var todo = {item: item.val()};
$.ajax({
type: 'POST',
url: '/todo',
data: todo,
success: function(data){
//do something with the data via front-end framework
location.reload();
}
});
return false;
});
});
What is the difference between the two methods? (ignoring that one is to perform 'delete' and the other is to 'post') Some say the latter is more secure than the former, but could not find any literature regarding it.
Upvotes: 0
Views: 153
Answers (1)
Reputation: 230521
The following link is where the person briefly mentions this point [about ajax request being more secure], although he doesn't provide any explanation youtu.be/aZ16pkrMkZE?t=875
He's talking about something else entirely. Performing a DELETE request via ajax and deleting objects in your app via clicking a simple link (which would result in a GET request).
The latter is not only against conventions (GET requests should not change data), it's also... not insecure, but "dangerous". Imagine that google crawler visits your site and follows every link. Puff, all your deletable objects are gone.
And in some cases it can be insecure too. Imagine that in order to create/update/delete objects you need to authenticate user somehow. Say, with an auth token. Since it's a plain link and a GET request, the token must go to the query string. This way, it'll be exposed for everyone to see, cached in every caching proxy and stored for eternity in traffic logs. Not very secure.
Upvotes: 1
Related Questions
- CRUD operations using mongoose and express
- Difference between two ways to make a request in Express app
- How to route CRUD operations in express?
- Is there a difference between these two methods of using express middleware?
- How is it better to do CRUD, with MongoDB or mongoose?
- express.js API Endpoint Best Practice for CRUD
- Client-side vs server-side data manipulation
- node/expressjs mvc CRUD
- To CRUD or not to CRUD
- Difference between initating an express object in nodejs?