0

I was thinking about that topic, and I am a little bit confused. I am using SSL. There is some story:

  1. User click on the button "Give me X"
  2. Service 1 receive it, get userName from the session and send GET to Service 2 passing userName as URL parameter
  3. Service 2 receives it, sends the response with some data.
  4. Service 1 receive it and send that data back to the user.

Service 1 and 2 are in this same machine, uses the same web container (Tomcat for example).
I found that when we send a request directly from the user (he can see the destination URL) is not safe, but I did not found anything about "forwarding". It is safe?

And I know that there are a lot of better solutions, but this question is purely hypothetical ;)

B_Osipiuk
  • 103
  • 4
  • I don't really understand the focus of your question, i.e. what you consider "safe". *"I found that when we send a request directly from the user (he can see the destination URL) is not safe,..."* - If your problem is that the user can see what is send then nothing is safe since in developer tools you can also see what gets send in the POST request. If instead you fear that an attacker could see what gets transferred then SSL should protect you against this - and if SSL would be broken it does not matter for an attacker if it is GET or POST. – Steffen Ullrich Nov 21 '18 at 20:01
  • @SteffenUllrich Yeah, maybe I show you not the best example, sorry for that. So another example: I just communicate my 2 services using, for example, GET and put some sensitive data inside URL parameters. It is safe? Safe I mean - does anyone can steal my sensitive data (excluding my second service). – B_Osipiuk Nov 21 '18 at 20:11

1 Answers1

1

When you are connected with HTTPS to a website, only the domain will be visible to others when they lets say use Wireshark, not the URL parameters. However, there are more risks involved.

There is no significant difference to POST and GET requests when it comes down to altering the values for example, any user can easily edit a POST request just as easily as altering the URL. You can also see POST packages being send over the network when not using HTTPS to connect.

However, GET requests can be cached and will remain in the browser history. They can also be bookmarked and these are main risks involved. Best practice is to not use GET requests for sensitive data.

Kevin
  • 1,643
  • 9
  • 20