Re: [Cppcms-users] query string
Brought to you by:
artyom-beilis
Menu
▾
▴
Re: [Cppcms-users] query string
|
From: mawan s. <ma...@gm...> - 2015-10-01 13:24:06
|
I think it is no.problem about GET or POST, but why GET method can not be captured with load(context)? On Oct 1, 2015 4:00 AM, "kpeo" <sla...@ya...> wrote: > Note: "POST/GET/Ajax" - can confuse, because Ajax is not an independent > technology, but environment uses POST/GET. But it one of choices in webdev. > > 30.09.2015, 19:44, "Joerg Sonnenberger" <jo...@br...>: > > On Wed, Sep 30, 2015 at 06:48:44PM +0300, kpeo wrote: > > At my point security - is not about the data transferred between the > client and > server only. > Browser can store the url with requested data in history / cache. Or URL > can be > stored in clipboard, etc. > These data may not contain confidential data, but may contain some > personal > information. So GET increases the risks. > > > Yes, there are specific cases where a POST is useful for idempotent > operations. Most of them disappeared with AJAX. Secure tips like "POST > is more secure than GET" are the reason why we still have so many > extremely bad behaving applications: > (1) Using POST because it isn't cached instead of proper cache control. > (2) Using POST because it doesn't make things appear in the (client) > history. > (3) Using POST to prevent C&P. > > None of this is about security. It is all a form of obscurity at best. > > The first criterion for GET vs POST should *always* be: does the request > change any state? If the request is issued a second time, does something > break? If the answer is no, it should *normally* be a GET. There are a > few exceptions: > > (1) You want to pass a lot of data. In the past, some servers liked to > complain about passing 200 characters by query string. > > (2) You have a sensitive query parameter and can't do the query > indirectly via AJAX OR can't trust your deployment to have a sane > logging configuration. > > That's about what I can think of after travelling for 12h. If you look > at it carefully, the second point doesn't really fix the problem in any > way. If you want to pass sensitive data around, encrypt it. Not just the > transport, but the individual item as well. Remember, no storing of > unencrypted credit card data as example. It's quite a good policy to do > that as early as possible. > > I'm annoyed by such blanket statements, because they almost always lead > to bad design decisions upfront by people that don't completely > understand the ramnifications. Look at all the web shops still around > where you can't just hit the Back button of your browser without getting > annoying warnings about having to resubmit form data, even if you are > just browsing the catalog. > > Joerg > > > ------------------------------------------------------------------------------ > _______________________________________________ > Cppcms-users mailing list > Cpp...@li... > https://lists.sourceforge.net/lists/listinfo/cppcms-users > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Cppcms-users mailing list > Cpp...@li... > https://lists.sourceforge.net/lists/listinfo/cppcms-users > > |
