2

All considerations of HTTPS/SSL, etc aside, if my user fills out a form and I send it by AJAX, it seems to me that POST & GET are equally interceptible, although GET is a teensy bit more transparent.

Is there any sound technical reason to prefer POST?

Anders
  • 64,406
  • 24
  • 178
  • 215
Mawg says reinstate Monica
  • 1,368
  • 2
  • 13
  • 26

3 Answers3

7

You should use POST for any state-changing action. If you save the content of the form, or use the form to send an e-mail, you should use a POST.

There are several reasons why this is more secure:

  • CSRF is easier with GET requests than with POST requests. With GET requests you can simply send someone a link. With a POST request an attacker needs to have a crafted HTML page. When your framework has CSRF protection, this is typically only active on POST requets.
  • The browser policy is different for POST requests. For example, you get a confirm dialog if you try to reload the page. One example of where this applies to security is same-site cookies. With the "lax" setting, POST requests are blocked cross-origin and GET requests are not.

See also this answer.

Community
  • 1
Sjoerd
  • 28,707
  • 12
  • 74
  • 102
  • 1
    Also, don't sen sensitive information (e.g. passwords) with GET even if you do use TLS: http://security.stackexchange.com/questions/128830/security-disadvantages-of-sending-a-password-with-get – Anders Jul 07 '16 at 07:26
  • 1
    In addition, in case of GET more sensitive data can get to access logs. POST requests bodies aren't logged by web servers by default. – CaptainRR Jul 07 '16 at 07:39
  • 1
    "POST request an attacker needs to have a crafted HTML page" not really, you can use curl or a great number of other REST tools to send post messages – CaffeineAddiction Jul 08 '16 at 16:26
0

You can see GET Request Parameters(Query string) in the Address Bar of the Web Browser

So you don't want to end up like this

http://www.mysupersecuresite.com/login.php?name=me&password=mycoolpassword

techno
  • 475
  • 1
  • 4
  • 13
  • 1
    Rememebr, I am talking about AJAX – Mawg says reinstate Monica Jul 07 '16 at 10:20
  • 1
    @Mawg Might still be displayed in the status bar, in the browser history, in the cache on your machine and on proxies, in server logs, etc, etc. Never send sensitive information with GET. – Anders Jul 07 '16 at 10:35
  • 2
    Status Bar, Browser History, Address Bar do not show the URL of AJAX requests, only of plain navigation. Proxies, Server Logs, Browser Cache, etc will log the URL regardless of GET vs POST, AJAX vs navigation. Please edit your answer to be more correct since the original question was clearly speaking of AJAX. – 700 Software Jul 07 '16 at 17:14
0

Is there any sound technical reason to prefer POST?

Yes, if there is a "state change" then a safe method should not be used.

See RFC7231:

Request methods are considered "safe" if their defined semantics are
essentially read-only; i.e., the client does not request, and does
not expect, any state change on the origin server as a result of
applying a safe method to a target resource ...

the GET, HEAD, OPTIONS, and TRACE methods are defined to be safe.

From a security perspective using POST is also preferred, because any corporate proxy servers (i.e. those with trusted certificates for TLS/SSL inspection) may log GET query string parameters by default (as they form part of the URL), and they will also be stored in your server logs by default.

Using POST means these values are less likely to leak places you don't expect.

Community
  • 1
SilverlightFox
  • 33,408
  • 6
  • 67
  • 178