GET vs POST in REST Web Service
I\'m in the process of developing a REST service that allows a user to claim their listing based on a couple of pieces of information that appear on their invoice (invoice n
-
Independently of POST vs GET, I would recommend NOT basing your security as something as simple as a zip code and an invoice number. I would bet on the fact that invoice numbers are sequential (or close), and there aren't that many zip codes around - voila, I got full access to your listings.
If you're using another authentication method (typically in HTTP header), then you're good - it doesn't matter if you have an invoice number if the URL, so might as well use GET.
If you're not, then I guess POST isn't as bad as GET in term of exposing confidential content.
讨论(0) -
You question starts with some bad presumptions. Firstly,
GETis not just for any old idempotent operation, it is forGETting resources from the server; it just happens that doing so should be side effect free. Secondly, the URL is not the only way for a GET request to send data to the server, you can use a payload with aGETrequest (at least as far as HTTP is concerned, some implementations are bad and don't support this or make it hard). Third, as pointed out, you have chosen some terrible data fields to secure your access. Finally, you are using a plain text protocol any way, so what neither method really offers and better security.You should use the the verb that best describes what you are doing, you are getting some information from the server, so use
GET. Use some proper security, such as basic HTTPS encryption. If you want to avoid these fields 'clogging' up the URL, you can send data in the payload of the request, something like:GET /listings HTTP/1.1 Content-Type = application/json { "zip" : "IN0N0USZ1PC0D35", "invoice" : "54859081145" }讨论(0) -
There isn't really any added security in a POST vs a GET. Sure, the request isn't in the URL, but it's REST we are talking about here, and the URL wouldn't be seen by a human anyway.
讨论(0)
加载中...
- 热议问题