Does HTTPS make POST data encrypted?

Question

I am new to the world of programming and I have learnt enough about basic CRUD-type web applications using HTML-AJAX-PHP-MySQL. I have been learning to code as a hobby and as a result have only been using a WAMP/XAMP setup (localhost). I now want to venture into using a VPS and learning to set it up and eventually open up a new project for public use.

I notice that whenever I send form data to my PHP file using AJAX or even a regular POST, if I open the Chrome debugger, and go to "Network", I can see the data being sent, and also to which backend PHP file it is sending the data to.

If a user can see this, can they intercept this data, modify it, and send it to the same backend PHP file? If they create their own simple HTML page and send the POST data to my PHP backend file, will it work?

If so, how can I avoid this? I have been reading up on using HTTPS but I am still confused. Would using HTTPS mean I would have to alter my code in any way?

Answer 1

The browser is obviously going to know what data it is sending, and it is going to show it in the debugger. HTTPS encrypts that data in transit and the remote server will decrypt it upon receipt; ie it protects against any 3rd parties in the middle being able to read or manipulate the data.

This may come as a shock to you (or perhaps not), but communication with your server happens exclusively over HTTP(S). That is a simple text protocol. Anyone can send arbitrary HTTP requests to your server at any time from anywhere. HTTPS encrypted or not. If you're concerned about somebody manipulating the data being sent through the browsers debugger tools… your concerns are entirely misdirected. There are many simpler ways to send any arbitrary crafted HTTP request to your server without even going to your site.

Your server can only rely on the data it receives and must strictly validate the given data on its own merits. Trying to lock down the client side in any way is futile.

Answer 2

This is even simpler than that. Whether you are using GET or POST to transmit parameters, the HTTP request is sent to your server by the user's client, whether it's a web browser, telnet or anything else. The user can know what these POST parameters are simply because it's the user who sends them - regardless of the user's personal involvement in the process.

You are taking the problem from the wrong end. One of the most important rules of programming is : Never trust user entries is a basic rule of programming ! Users can and will make mistakes, and some of them will try to damage you or steal from you. Welcome into the club.

Therefore, you must not allow your code to perform any operation that could damage you in any way if the POST or GET parameters you receive aren't what you expect, be it by mistake or from malicious intents. If your code, by the way it's designed, renders you vulnerable to harm simply by sending specific POST values to one of your pages, then your design is at fault and you should redo it taking that problematic into account.

That problematic being a major issue while designing programs, you will find plenty of documentation, tutorials and tips regarding how to prevent your code to turn against you.

Don't worry, that's not that hard to handle, and the fact that you came up with that concern by yourself show how good you are at figuring things out and how commited you are to produce good code, there is no reason why you should fail.

Feel free to post another question if you are stuck regarding a particular matter while taking on your security update.

Answer 3

Everyone can send whatever they want to your application. HTTPS just means that they can't see and manipulate what others send to your application. But you always have to work under the assumption that what is sent to your application as POST, GET, COOKIE or whatever is evil.

Answer 4

HTTPS encrypts in-transit, so won't address this issue.

You cannot trust anything client-side. Any data sent via a webform can be set to whatever the client wants. They don't even have to intercept it. They can just modify the HTML on the page.

There is no way around this. You can, and should, do client side validation. But, since this is typically just JavaScript, it can be modified/disabled.

Therefore, you must validate all data server side when it is received. Digits should be digits, strip any backslashes or invalid special characters, etc.

Answer 5

在HTTPS中，之前建立了TLS通道并且传输了HTTP数据，因此从这个角度来看，GET和POST请求之间没有区别。

Answer 6

It is encrypted but that is only supposed to protects against mitm attacks.

your php backend has no idea where the data it receives comes from which is why you have to assume any data it receives comes straight from a hacker.

Since you can't protect against unsavoury data being sent you have to ensure that you handle all data received safely. Some steps to take involve ensuring that any files uploaded can't be executed (ie if someone uploads a php file instead of an image), ensuring that data received never directly interacts with the database (ie https://xkcd.com/327/ ), & ensuring you don't trust someone just because they say they are logged in as a user.

To protect further do some research into whatever you are doing with the received post data and look up the best practices for whatever it is.