GET vs. POST, more browser security questions
jd0g
mail at justinmwright.com
Fri Jun 7 00:26:17 CDT 2002
Hello,
Is it more secure to send parameters to a web server in a POST HTTPS
request or a GET HTTPS request? The W3C says that a POST request is
slightly more secure ( I think, see
http://www.w3.org/Security/Faq/wwwsf4.html#CGI-Q12 )For example, if I look
at the lines in my Apache access.log file for a GET request I can see every
HTTP parameter after the '?' unlike a POST request where I just see the base
URL. Are HTTPS headers SSL encrypted along with the document being
transmitted? Now when my web browser makes a GET request to my favorite
e-commerce web site is it possible that a router or someone with a 'sniffer'
somewhere can pickup that URL and see the key-value parameters and if the
programmers aren't careful could embed sensitive information in the URL?
What is stopping the owner of the router from logging the URL requests that
travel through it?
j
More information about the Kclug
mailing list