简体繁体 English

出于安全性考虑，对REST API中的每个HTTP动词使用POST是否很好？

[英]Is it good to use POST for each HTTP verb in REST API for security reasons?

原文 2012-09-04 14:26:41 2 3 security/ api/ rest/ standards

I am working on an enterprise web app. 我正在开发企业Web应用程序。 Our app would be deployed to production in https only. 我们的应用只能在https中部署到生产环境。 We are writing REST APIs that would be consumed by our html 5 client only (not for others) 我们正在编写仅由html 5客户端使用的REST API（不适用于其他客户端）

My team has taken decision to use POST for all rest verbs, because GET, PUT, DELETE exposes id in the url. 我的团队已决定对所有其余动词使用POST，因为GET，PUT，DELETE会在网址中公开ID。

What my team thinks is that, having any type of data exposed in the url is not a good idea, even if id is not directly the database id. 我的团队认为，即使id并非直接是数据库id，在url中公开任何类型的数据也不是一个好主意。

Everybody seems to be agreed to use POST http method for GET, PUT, DELETE and pass http_method as parameter and using the parameter decide what operation to do. 似乎大家都同意对GET，PUT，DELETE使用POST http方法，并将http_method作为参数传递，并使用该参数确定要执行的操作。

This is the only difference that we are planning to do for REST APIs. 这是我们计划为REST API所做的唯一区别。 What do you think? 你怎么看？

3 个解决方案

By avoiding the use of GET you loose the ability to use caching. 通过避免使用GET，您就失去了使用缓存的能力。 Hiding the id of the resource in the body will most likely cause you to violate the "identification of resources" constraint. 将资源的ID隐藏在主体中很可能会导致您违反“资源标识”约束。 Which will make linking/hypermedia far more difficult. 这将使链接/超媒体更加困难。

I would assert that it will be almost impossible to get the benefits of a RESTful system if you limit yourself to POST. 我断言，如果您将自己限制为POST，那么几乎不可能获得RESTful系统的好处。 Having said that, considering you are only targeting HTML5 clients you probably don't need most of the REST benefits. 话虽如此，考虑到您仅针对HTML5客户端，您可能不需要大多数REST好处。 Doing Json-RPC is probably more than adequate for your needs. 进行Json-RPC可能已足以满足您的需求。

However, I still think throwing away GET for a false sense of security is a bad idea. 但是，我仍然认为放弃GET以获得错误的安全感是一个坏主意。 The body of your posts are just as easy to access by some intermediary as an id in the URI. 您的帖子正文就像URI中的id一样容易被某些中介访问。

You should use HTTP as it was intended so you can get the full benefits of the stack. 您应按预期使用HTTP，以便可以充分利用堆栈的好处。 The different verbs have different semantics for a reason. 出于某种原因，不同的动词具有不同的语义。

You can feel like POST is more secure than GET all you want, but it's a false premise. 您可能会觉得POST比您想要的GET更安全，但这是错误的前提。

Who are you securing this data from? 您是从谁那里保护这些数据的？ Man in the middle? 男人在中间？ That's what HTTPS solves. 这就是HTTPS解决的问题。

Are you securing it from your end users? 您是从最终用户那里保护它吗？ The ones who can download your entire application and study the source code at their leisure whenever they want? 那些可以下载整个应用程序并随时随地学习源代码的人？ Or view the source of a page with a right click and see your payloads laid out in all their glory? 还是通过右键单击来查看页面的源代码，并查看有效载荷布置在它们的所有荣耀中？ Or simply turn the browser debugger on and watch all of your traffic? 还是只是打开浏览器调试器并观察所有流量？ You're trying to secure it from those people? 您想从那些人那里保护它吗？

POST doesn't hide anything from anybody. POST不会对任何人隐藏任何内容。

You should probably have a look at this post as it pretty much explains what https does for you. 您可能应该看一下这篇文章，因为它几乎解释了https为您提供的功能。 So the question would be: who do you want to protect the URL from? 因此，问题将是：您想保护谁免受URL攻击？ It might be in the browser history or visible to someone standing behind the user, but not to anyone listening on the line. 它可能在浏览器历史记录中，或者对于站在用户身后的人可见，但对于在线上收听的任何人都不可见。