POST is definitely better than GET. In a GET request the query data is sent
as part of the URL, which will likely be logged by the webservers or proxies
that it passes through. POST data is in the body of the HTTP request and
isn't logged. Hidden form input vs. visible input doesn't really, as long
as you use POST. Depending on how sensitive the information is and how your
application is designed, you may also want to do application-layer
encryption on the query data. This way, you can protect the information
from being viewed by someone who needs to have access to (or has stolen) the
server's PKI keys, such as a system administrator, but should not be able to
view confidential customer information.
And of course, Ye Olde Secure Sockets Layer.

I hope that helps.

Kevin Spett
SPI Dynamics, Inc.
http://www.spidynamics.com/

----- Original Message -----
From: "Steven Fling" <SFLINGoppenheimerfunds.com>
To: <webappsecsecurityfocus.com>
Sent: Wednesday, July 10, 2002 2:36 PM
Subject: Best Practices for passing data via HTTP

Our application communicates across various application server environments
via HTTP/HTTPS requests (versus RMI, etc.) and needs to pass data/parameters
back and forth. Naturally we use SSL to encrypt the request/response.

I wanted to see if there were any Best Practices established to transfer
data in this fashion. POST vs. GET method, querystring vs. hidden form
variable, etc.

Any insight would be appreciated!

____________________________________
Steve Fling
Managing Architect - Web Development
OppenheimerFunds, Inc.
sflingoppenheimerfunds.com
Office: 303.768.3200
FAX: 303.768.1096
http://www.oppenheimerfunds.com
____________________________________

This electronic mail transmission may contain confidential information and
is intended only for the person(s) named. Any use, copying or disclosure by
any other person is strictly prohibited. If you have received this
transmission in error, please notify the sender via e-mail.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]