Development: Difference between the http requests POST and GET

Development: Difference between the http requests POST and GET

Image for post

The GET and POST are two different types of HTTP requests. GET is used for viewing something, without changing it, while POST is used for changing something. For example, a search page should use GET to get data while a form that changes your password should use POST. Essentially GET is used to retrieve remote data, and POST is used to insert/update remote data.

GET retrieves a representation of the specified resource and include all required data in the URL. You should be able to request the same URL over and over harmlessly. Note that GET should not be used for operations that cause side-effects, such as using it for taking actions in web applications. One reason for this is that GET may be used arbitrarily by robots or crawlers, which should not need to consider the side effects that a request should cause.

POST is for writing data, submits data to be processed (e.g. from an HTML form) to the identified resource. This may result in the creation of a new resource or the updates of existing resources or both. It may have side effects use the same request several times because will likely result in multiple writes. Browsers typically give you warnings about this. POST is not secure, the data is included in the body of the request instead of the URL but it is trivially simple to view/edit.

What about https (http over TLS/SSL)? This is an interesting question. Say you make a GET request to a webpage:

GET: https://www.example.com/login.php?user=myuser&pass=mypass

Assuming that your Internet connection is being monitored, what information about this request will be available to the snooper? If POST is used instead, and the user and pass data is included as POST variables, will that be more secure in the case of HTTPS connections?

The answer is no. If you make such a GET request, only the following information will be known to the attacker monitoring your web traffic:

  1. The fact that you made an HTTPS connection
  2. The hostname www.example.com
  3. The total length of the request
  4. The length of the response

The path part of the URL, the actual page requested, as well as the string parameters are encrypted while they are on their way to the destination server. The situation is exactly the same for POST requests, but the parameters are in the body instead of the URL.

Web servers tend to log the entire URL in plain text in their access logs; so sending sensitive information over GET is not a good idea. This applies irrespective of whether HTTP or HTTPS is used.

Via: Diffen and RFC 2616 Section 9

18

No Responses

Write a response