On Wed, Jul 10, 2002 at 04:47:11PM -0400, Venkat, Sanjay wrote:
> To echo most of the comments from the thread, GET and POST are both not
> secure.

In an HTTPS context I say that POST is more secure than GET because the
POST data doesn't get into the browser's history. But the gain in that
regard is minimum.

> Further clarify that the GET and POST are sent from the client to the server
> and cannot pass data back from the server to the client. The response is
> always a HTTP response of type 200 for OK. (Check HTTP response codes for
> more)

No, the response can be any HTTP response, and any type of file
(text/html, image/jpeg, etc) can be sent back by the server.

As an example of a cgi that returns an error:
#! /usr/bin/perl
print <<EOF;
Status: 404 Not Found
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
 ...
EOF

I agree with the rest of the comment:

> However, a best practice in selection of a GET or a POST method can be made
> using the following points.
> 1. As the application (I assume web tier) is communicating to various
> application servers at the back end, the GET request and the POST request
> might not even be visible to the UI and hence are the same.
>
> 2. The GET method has a limitation on the size of the data that can be sent.
> Though some webservers have buffers to deal with data larger than the
> recommended 4KB, some web/appservers buffers will overflow. (This has been a
> DoS expliot in the past)
>
> POST data has not such size limitation. Hence is a user has direct access to
> constructing a GET request that is processed by the web application layer,
> POST is the safer call over a GET.
>
> 3. POST data has advantages a it can deal with information other than
> URLEncoded information(ie MIME) So it is possible to let MIME handle
> multiple type of data for you instead of the encoding required with a GET.

Regards,
Luciano Rocha

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]