Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
562 views
in Technique[技术] by (71.8m points)

rest - What is the difference between a HTTP-Get and HTTP-POST and why is HTTP-POST weaker in terms of security

Can anyone explain the difference between a HTTP-GET and HTTP-POST? And why do people say that a HTTP-POST is weaker in terms of security?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

In an HTTP GET request, key/value pairs are specified in the URL:

http://server/something?value1=foo&value2=bar.

In an HTTP POST request, key/value pairs are sent as part of the HTTP request after the headers. For example:

 POST /something HTTP/1.1
 Host: server
 Content-Length: 21
 Content-Type: application/x-www-form-urlencoded

 value1=foo&value2=bar

It's hard to really describe one as being more or less secure than the other, but HTTP POST data is not visible in the URL, and when submitting data to a website, an HTTP POST can usually only be performed as a result of user interaction (for example clicking on a "Submit" button).

This means a user can't be tricked into visiting a URL like http://server/update_profile?name=I_suck and sensitive data is not exposed in the URL.

You can also use nonces and other anti-forgery tokens with html forms (which use POST) to prevent other forms of cross-site request forgeries.

In general, POST should be used for requests that potentially modify state on the server, and GET should be used for read-only operations.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...