9

How safe is a hybrid mobile application developed using a GET Web service over HTTPS?

What are the pros and cons of using it and how safe is POST over HTTPS?

user2428118
  • 2,768
  • 16
  • 23
user47784
  • 93
  • 1
  • 3

2 Answers2

13

In HTTPS, the TLS channel is established before and HTTP data is transfered so, from that point of view, there is no difference between GET and POST requests (or any other HTTP verb, for that matter).

A few things might impact system security, though:

  • GET requests usually are logged in full while POST requests usually are not. This means that, potentially, you might get more information leaked through GET than POSTS (this logging can happen in the client - through history - on a proxy server or on the web server itself).
  • GET requests are more constrained by size than POSTs. This makes it (slightly) more difficult to use them as a way to attack the web application.
Community
  • 1
Stephane
  • 18,557
  • 3
  • 61
  • 70
  • Is there any white papaper regarding this? – user47784 Jun 04 '14 at 12:16
  • 2
    regarding what ? – Stephane Jun 04 '14 at 12:55
  • 2
    Also, According to [RFC 2616](http://www.ietf.org/rfc/rfc2616.txt), GET requests should be idempotent; see [Using GET for a non-idempotent request](http://stackoverflow.com/questions/8657212/using-get-for-a-non-idempotent-request) on StackOverflow, for example. – Owen Blacker Jun 04 '14 at 15:33
  • I believe @OwenBlacker should be considered as a main point. NEVER use GET if it changes anything in the system (other than statistics of course). I personally don't make an exception even if I have CSRF tokens. – AKS Jun 04 '14 at 17:55
2

If you have sensitive information you should not use a GET even with https, because these information might be sent to a 3rd party inside the Referer.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424