We all know that when we send a GET request, the URL is visible to you and the person right next to you. Well of course that's insecure! In a POST request, the form data is sent as a block. What about GET and POST requests sent via HTTPS? Surely that's secure, right?
Submitting data via POST is the
How hard would it be to put a piece of malicious software on a USB stick around the office or better yet at various conferences and event halls with the label, "try our demo today?" Once ran, it can crawl your browser history and upload it periodically. How about another attack vector via the ad networks that will display an ad and log the referer, aka the last page that was visited by the user. And this URL can very well be that GET request with all kinds of query string information. Don't even get me started with CDNs and the danger of leaking your URLs when fetching images and javascript files with the referer info. Just about all webpages these days do this unless you specify this meta element in every page of your site: meta name="referrer" content="never". Of course, as of yet, not all browsers support this under HTML5. What's even worse is that most web servers keep logs of all URLs. And ever single URL can be potentially logged, whether it comes from a secured TCP connection or not.
As a security minded developer, if you stick to this one rule your users and employers will thank you: Never send sensitive data using the GET method. Ask yourself this question the next time you are working on a web application: "Am I relying too heavily on passing data via the GET request and the query string?" If the answer is yes, choose POST. To help you remember, think of the POST OFFICE as being more secure because they package up your data as opposed to the GET OFFICE. :[
No comments:
Post a Comment