OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Ben Mord (bmord_at_icon-nicholson.com)
Date: Wed Jul 10 2002 - 14:52:26 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I feel strongly that you should use POST when using HTTP(S) for transferring
    data. This is much more consistent with the intent of POST versus GET as
    described in the HTTP 1.1 spec, and is less likely to cause you grief down
    the road from HTTP caching proxies or from arbitrary query string or URL
    length restrictions. There are other hacks you can use to explicitly tell
    proxies not to cache your content, and the use of HTTPS itself should
    preclude caching by proxies anyhow. But if you later switched to HTTP and
    instead performed encryption higher in your application (e.g. encrypted
    objects), then you will be thankful you stuck to POST. Its just one less
    thing to forget, and I know of no inherent advantages to GET for data
    transfer. Use of GET for data push is just an abuse of the spec.

    This is not only a functional concern, this is also a security concern. You
    don't want to cache sensitive content anywhere you don't need to. (Again,
    only a concern if you might some day switch from SSL to application-level
    encryption.) For a few HTTP (not HTTPS) security related considerations, see
    also:
    http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html

    Perhaps someone can suggest best practices specific to HTTP*S* with data
    transfer?

    Regards,
    Ben Mord
    benmordearthlink.net

    -----Original Message-----
    From: Steven Fling [mailto:SFLINGoppenheimerfunds.com]
    Sent: Wednesday, July 10, 2002 2:36 PM
    To: webappsecsecurityfocus.com
    Subject: Best Practices for passing data via HTTP

    Our application communicates across various application server environments
    via HTTP/HTTPS requests (versus RMI, etc.) and needs to pass data/parameters
    back and forth. Naturally we use SSL to encrypt the request/response.

    I wanted to see if there were any Best Practices established to transfer
    data in this fashion. POST vs. GET method, querystring vs. hidden form
    variable, etc.

    Any insight would be appreciated!

    ____________________________________
    Steve Fling
    Managing Architect - Web Development
    OppenheimerFunds, Inc.
    sflingoppenheimerfunds.com
    Office: 303.768.3200
    FAX: 303.768.1096
    http://www.oppenheimerfunds.com
    ____________________________________

    This electronic mail transmission may contain confidential information and
    is intended only for the person(s) named. Any use, copying or disclosure by
    any other person is strictly prohibited. If you have received this
    transmission in error, please notify the sender via e-mail.