[WEB SECURITY] Sensitive Info in POST and Security Concerns

Martin O'Neal martin.oneal at corsaire.com
Thu Jun 27 02:48:48 EDT 2013


> POST method is more secure than GET method, 
> as the values in the POST method are not 
> cached in the URL.

Actually this statement is wrong on both counts. 

If the POST request is not followed by a redirect (3xx) then using the history to revisit the page may make the browser resubmit the values entered (often prompting a warning that this will happen, none-the-less).

A POST may put arguments in the body of the request, but in the specific example given the question is about an argument in the URI.

As to whether this argument is a problem, or should be there at all, is all contextual to the application. Querying the account ID like this, with it in the URI, fits the RESTful model, so is valid from that perspective.

It all depends on whether the account ID is considered sensitive information.

Martin...




More information about the websecurity mailing list