2

It is known that sensitive information should not be transmitted in GET requests as GET requests will be cached and POST should be used.

  • Why can't we use POST method for all request and ignoring GET request?

  • What all difficulties/ barriers will be faced if we ignore GET method and start using POST exclusively?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Jaka
  • 152
  • 1
  • 1
  • 8
  • 6
    This question has little to do with security, and should be moved to Stack Overflow. At first blush, though, your question itself has a simple enough answer: it would completely break caching across the web. – Stephen Touset Mar 21 '17 at 07:16
  • 1
    @StephenTouset Please don't suggest sending questions like this to Stack Overflow. The question is too broad and doesn't show prior research. – S.L. Barth Mar 21 '17 at 10:48
  • 1
    Why use post everywhere? I meet some very old programmers that was facing security problems, and think the post will change anything. This diferences was resolved in SSLv2, so in TSLv1.2, all of theses methods have the same security level. So in 2019, using only post will bring more problems to you than before. The system will start to recognize it by standards. – Lucas Rodrigues Sena Jul 02 '19 at 10:32

3 Answers3

7

HTTP has different verbs, which have different semantics:

  • GET : does not change anything server side, multiple GET with same parameters should get same response - typically get an account value
  • POST : can make changes server side, multiple POST with same parameters can lead to different results and responses - typically add an amount to an account
  • PUT : can make changes server side, multiple PUT with same parameters should lead to same result and response - typically set an account value

DELETE and HEAD also exists but I do not think that you want use them here.

As POST is not idempotent, major browser will warn you if you send twice the same POST request which is not desirable in GET use cases.

Anyway, headers in the HTTP request control where the response should be cached or not, so it is possible to ask caches to not keep responses to GET requests.

Finally, caching (in the sense of caching proxies) is not security related. If you do not want someone to eavesdrop your requests and reponses, you should not worry about caching but use HTTPS which ensures that everything is correctly encrypted.

Browser caching is a different question, because then can store the last URLs in their history cache. So sensitive information should not be send in the URL, unless you consistently clean the history when you close you browser, and close your browser when you have finished browsing a site. But sent in URL and sent in a GET request are different questions. HTTP basic authentication allow to pass the credentials in the HTTP headers of a GET request, which is safe. And login form authentication is an non idempotent request (the state after and before authentication is not the same) so it shall be a POST request per HTTP semantics.

TL/DR: The problem is not in GET vs POST request. The rules for confidentiality are:

  • always use HTTPS
  • never pass sensitive data in URL.
Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
  • Great answer! But I am not with you that caching would not be security related. Caching sensitive data is a security breach and creates a potential avenue for data loss. That makes a good reason for POST requests for any sensitive data like account details or personal information. – Wealot Mar 21 '17 at 09:53
  • @Wealot: I missed the point of browser level caching. Should be more clear now. – Serge Ballesta Mar 21 '17 at 10:40
  • No worries this is a great answer now! – Wealot Mar 21 '17 at 13:05
1

Your principal problem is that if you try to reload a page submitted by a POST request, the browser will generally pop up a warning that it might do something twice. This is not what you want to happen on most pages that use GET requests.

Mike Scott
  • 10,118
  • 1
  • 27
  • 35
-1

Basically GET is consider as a request for some operation or data,

the data send through GET is consider as a parameter

if you have a blog application and when you request for a specified post you may need to use get

www.mysite.com/myblogapp?post=12 ,

now your browser address is updated you can share the url for that blog post, or use back button for load last visited blog post ( which is not possible with post method )

POST is used for sending large amount data, such as form data, uploaded file etc

Sajan
  • 99
  • 1