[英]Should a Basic authentication request be POST or GET?
I have seen Basic authentication being done in both GET
and POST
requests. 我已经看到在GET
和POST
请求中都完成了基本身份验证。
On the one hand, I suppose browser caching GET
requests could be an issue, but on the other: POST
is larger but encouraged for delivering sensitive information. 一方面,我认为浏览器缓存GET
请求可能是一个问题,但另一方面: POST
较大,但鼓励传递敏感信息。
I am not asking the difference between GET
and POST
requests, but which one should be used for Basic authentication. 我不是在问GET
和POST
请求之间的区别,而是要对基本身份验证使用哪一个。 Should GET
be used only with HTTPS? GET
应该仅与HTTPS一起使用吗? Should POST
be used always? 应该始终使用POST
吗?
My question is which one should be used? 我的问题是应该使用哪一个? Which one is a better practice? 哪个是更好的做法?
Should
GET
be used only with HTTPS?GET
应该仅与HTTPS一起使用吗? ShouldPOST
be used always? 应该始终使用POST
吗?
HTTPS must be used regardless the HTTP method when sending/requesting sensitive information over the wire. 通过网络发送/请求敏感信息时,无论使用哪种HTTP方法,都必须使用HTTPS。 HTTPS ensures that both body and headers are encrypted. HTTPS确保身体和头进行加密。
Bear in mind that sensitive information (such as passwords and payment card numbers) must never ever be sent in the URL: The requested URL may be logged by servers and proxies; 请记住,绝不能在URL中发送敏感信息(例如密码和支付卡号):服务器和代理可能会记录所请求的URL;否则,可能会导致服务器无法访问该URL。 If the URL is requested by a browser, the URL goes to the browser history. 如果浏览器请求该URL,则该URL进入浏览器历史记录。 And then you have a security breach. 然后您就有了安全漏洞。
Which one should be used for Basic authentication? 基本身份验证应使用哪一个?
The Basic authentication scheme is not tied to any particular HTTP method. 基本身份验证方案不与任何特定的HTTP方法绑定。 Each HTTP method have their own semantics, so you may need different methods to design your API. 每个HTTP方法都有自己的语义,因此您可能需要不同的方法来设计API。 And each of those methods may perform operations that require authentication and/or authorization. 并且那些方法中的每一个可以执行需要认证和/或授权的操作。
The HTTP authentication framework, described in the RFC 7235 , defines that credentials should be sent in the Authorization
header, so they can be applied to any HTTP(S) request. RFC 7235中描述的HTTP身份验证框架定义了凭据应在Authorization
标头中发送,以便可以将其应用于任何HTTP(S)请求。
It's also important to highlight that authentication schemes, such as Basic, are meant to be applied to protection spaces , often called realms (see my previous answer for details). 同样重要的是要强调身份验证方案(例如Basic)旨在应用于通常称为领域的 保护空间 (有关详细信息,请参阅我先前的回答 )。
Both GET and POST method is used to transfer data from client to server in HTTP protocol but Main difference between POST and GET method is that GET carries request parameter appended in URL string while POST carries request parameter in message body which makes it more secure way of transferring data from client to server in http protocol. GET和POST方法都用于通过HTTP协议将数据从客户端传输到服务器,但是POST和GET方法之间的主要区别在于GET携带附加在URL字符串中的请求参数,而POST携带在消息正文中的请求参数,这使其更安全使用HTTP协议将数据从客户端传输到服务器。 So it depends of your needs. 因此,这取决于您的需求。 Hope it helps ! 希望能帮助到你 !
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.