To echo most of the comments from the thread, GET and POST are both not
secure.

Further clarify that the GET and POST are sent from the client to the server
and cannot pass data back from the server to the client. The response is
always a HTTP response of type 200 for OK. (Check HTTP response codes for
more)

However, a best practice in selection of a GET or a POST method can be made
using the following points.
1. As the application (I assume web tier) is communicating to various
application servers at the back end, the GET request and the POST request
might not even be visible to the UI and hence are the same.

2. The GET method has a limitation on the size of the data that can be sent.
Though some webservers have buffers to deal with data larger than the
recommended 4KB, some web/appservers buffers will overflow. (This has been a
DoS expliot in the past)

POST data has not such size limitation. Hence is a user has direct access to
constructing a GET request that is processed by the web application layer,
POST is the safer call over a GET.

3. POST data has advantages a it can deal with information other than
URLEncoded information(ie MIME) So it is possible to let MIME handle
multiple type of data for you instead of the encoding required with a GET.

Hope this helps.

Sanjay

KPMG LLP
Risk and Advisory Services.

-----Original Message-----
From: Steven Fling [mailto:SFLINGoppenheimerfunds.com]
Sent: Wednesday, July 10, 2002 2:36 PM
To: webappsecsecurityfocus.com
Subject: Best Practices for passing data via HTTP

Our application communicates across various application server environments
via HTTP/HTTPS requests (versus RMI, etc.) and needs to pass data/parameters
back and forth. Naturally we use SSL to encrypt the request/response.
 
I wanted to see if there were any Best Practices established to transfer
data in this fashion. POST vs. GET method, querystring vs. hidden form
variable, etc.
 
Any insight would be appreciated!
 
____________________________________
Steve Fling
Managing Architect - Web Development
OppenheimerFunds, Inc.
sflingoppenheimerfunds.com
Office: 303.768.3200
FAX: 303.768.1096
http://www.oppenheimerfunds.com
____________________________________

This electronic mail transmission may contain confidential information and
is intended only for the person(s) named. Any use, copying or disclosure by
any other person is strictly prohibited. If you have received this
transmission in error, please notify the sender via e-mail.

*****************************************************************************
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized.

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter.
*****************************************************************************

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]