Comments on: GET vs POST and URL security

By: Ulf

Ulf — Sat, 08 May 2010 08:00:13 +0000

@psi: No, GET and POST should not be used interchangeably; in fact, the HTTP spec is quite clear on the fact that web apps that do so are semantically broken. But POST can be used for purposes for which GET would be sufficient -idempotent operations- if POST’s characteristics are better suited for it – like hiding parameters. You’re right that GET should not be used for operations that change state.

By: psi

psi — Mon, 03 May 2010 11:58:25 +0000

This is very interesting. The strange think that I see here, though, is the implication that GET and POST could/should/might be used interchangeably to accomplish the same operation. I was under the impression that they had very discreet roles: GET is an idempotent operation used to retrieve a resource from the server, POST is an operation used to create it, and PUT is an operation used to update it. Could/should/might GET, POST and PUT both be correctly used for the same form submission, then? POST and PUT seem the right verbs for a form submission that changes state on the server (Add a comment to a blog), and GET seems the right verb for a form submission that is requesting specific information from the server (like using a search engine to find pages that match a set of keywords).

This would have the side-effect of causing updates of bank account or social security information to be POSTs or PUTs (which don’t use the query-string). The only issues we would ever have would be:

-The user is trying to GET a resource from the server using some secure field (like a social security number)
-The developer has used GET to do form submissions involving creates or updates

Are there actually valid use-cases for either?

By: Ulf

Ulf — Mon, 03 May 2010 07:36:14 +0000

Just in case the connection isn’t clear between sensitive URLs and links from them to external sites: the URL of the page containing the link is sent via the HTTP Referer header. While some browsers -like Firefox- have an obscure setting to suppress this header, few users will be aware of its existence or significance. (And some web apps actually rely on that header being sent, although I’d say those apps are broken since the HTTP spec does not require it.)