Why is using a HTTP GET to update state on the server in a RESTful call incorrect?

后端 未结 5 1050
南笙
南笙 2021-01-17 20:22

OK, I know already all the reasons on paper why I should not use a HTTP GET when making a RESTful call to update the state of something on

相关标签:
5条回答
  • 2021-01-17 21:06

    One more problem is there. If GET method is used , data is sent in the URL itself . In web server's logs , this data gets saved somewhere in the server along with the request path. Now suppose that if someone has access to/reads those log files , your data (can be user id , passwords , key words , tokens etc. ) gets revealed . This is dangerous and has to be taken care of .

    In server's log file, headers and body are not logged but request path is . So , in POST method where data is sent in body, not in request path, your data remains safe .

    0 讨论(0)
  • 2021-01-17 21:11

    The practical case where you will have a problem is that the HTTP GET is often retried in the event of a failure by the HTTP implementation. So you can in real life get situations where the same GET is received multiple times by the server. If your update is idempotent (which yours is), then there will be no problem, but if it's not idempotent (like adding some value to an amount for example), then you could get multiple (undesired) updates.

    HTTP POST is never retried, so you would never have this problem.

    0 讨论(0)
  • 2021-01-17 21:11

    i think that reading this resource: http://www.servicedesignpatterns.com/WebServiceAPIStyles could be helpful to you to make difference between message API and resource api ?

    0 讨论(0)
  • 2021-01-17 21:12

    Here is an important reason that GETs should be idempotent and not be used for updating state on the server in regards to Cross Site Request Forgery Attacks. From the book: Professional ASP.NET MVC 3

    Idempotent GETs
    Big word, for sure — but it’s a simple concept. If an operation is idempotent, it can be executed multiple times without changing the result. In general, a good rule of thumb is that you can prevent a whole class of CSRF attacks by only changing things in your DB or on your site by using POST. This means Registration, Logout, Login, and so forth. At the very least, this limits the confused deputy attacks somewhat.

    0 讨论(0)
  • 2021-01-17 21:13

    If some form of search engine spiders your site it could change your data unintentionally.

    This happened in the past with Google's Desktop Search that caused people to lose data because people had implemented delete operations as GETs.

    0 讨论(0)
提交回复
热议问题