HTTP-Get 和 HTTP-POST 之间有什么区别,为什么 HTTP-POST 在安全性方面较弱 [英] What is the difference between a HTTP-Get and HTTP-POST and why is HTTP-POST weaker in terms of security
问题描述
谁能解释一下 HTTP-GET 和 HTTP-POST 之间的区别?为什么人们说 HTTP-POST 在安全性方面更弱?
在 HTTP GET 请求中,键/值对在 URL 中指定:
http://server/something?value1=foo&value2=bar.
在 HTTP POST 请求中,键/值对作为 HTTP 请求的一部分在标头之后发送.例如:
<前>POST/something HTTP/1.1主机:服务器内容长度:21内容类型:应用程序/x-www-form-urlencodedvalue1=foo&value2=bar很难真正描述一个比另一个更安全或更不安全,但 HTTP POST 数据在 URL 中不可见,并且当向网站提交数据时,HTTP POST 通常只能在以下情况下执行用户交互(例如点击提交"按钮).
这意味着用户不能被欺骗访问像 http://server/update_profile 这样的 URL?name=I_suck 并且敏感数据未在 URL 中公开.
您还可以使用 nonce 和其他带有 html 表单的防伪标记(使用 POST) 以防止其他形式的跨站点请求伪造.
一般来说,POST 应该用于可能修改服务器状态的请求,GET 应该用于只读操作.
Can anyone explain the difference between a HTTP-GET and HTTP-POST? And why do people say that a HTTP-POST is weaker in terms of security?
In an HTTP GET request, key/value pairs are specified in the URL:
http://server/something?value1=foo&value2=bar.
In an HTTP POST request, key/value pairs are sent as part of the HTTP request after the headers. For example:
POST /something HTTP/1.1 Host: server Content-Length: 21 Content-Type: application/x-www-form-urlencoded value1=foo&value2=bar
It's hard to really describe one as being more or less secure than the other, but HTTP POST data is not visible in the URL, and when submitting data to a website, an HTTP POST can usually only be performed as a result of user interaction (for example clicking on a "Submit" button).
This means a user can't be tricked into visiting a URL like http://server/update_profile?name=I_suck and sensitive data is not exposed in the URL.
You can also use nonces and other anti-forgery tokens with html forms (which use POST) to prevent other forms of cross-site request forgeries.
In general, POST should be used for requests that potentially modify state on the server, and GET should be used for read-only operations.
这篇关于HTTP-Get 和 HTTP-POST 之间有什么区别,为什么 HTTP-POST 在安全性方面较弱的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
