MVC HttpGet and HttpPost
Question
Recently I have attended a training in mvc. The trainer said that - As per the security concerns we have to use HttpPost instead of HttpGet. Always use HttpPost.
Can anyone explain - what is the security issue when we use HttpGet?
2 answers
solution1
3 2016-06-30 10:59:02
When transmitting data over secure connection (https) body of the post request is encrypted and practically undreadable, you can only see address where data is going but not the data itself. Get on the other hand has no body and data has to be transmitted in either query string or as a path parameter. While it is true that query string does get encrypted as well, due to request logging on the server and browser it is possible to get hold of that data.
solution2
3 2016-06-30 10:59:12
Anyone can insert image on public forum or stackoverflow with link to your web-site. Then happens next:
- Browser looks at url in image tag
- Browser find cookies corresponding to domain in url
- Browser sends request to url with cookies of user
- Your server performs action
- Browser tries to parse response as image and fails
- Browser renders error instead of image
But if you mark your action as Http Post only then this scenario isn't applicable for 90% of sites. But you should also consider that if hacker can create a form on other web-site then he still can make browser to perform request. So you need CSRF . Well, browsers made a lot to prevent cross-site requests, but it's still possible in some scenarios.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.