GET 或 POST 是否比另一个更安全? [英] Is either GET or POST more secure than the other?
问题描述
在比较 HTTP GET 和 HTTP POST 时,从安全角度来看有什么区别?其中一个选择本质上比另一个更安全吗?如果是,为什么?
When comparing an HTTP GET to an HTTP POST, what are the differences from a security perspective? Is one of the choices inherently more secure than the other? If so, why?
我意识到 POST 不会公开 URL 上的信息,但这是否有任何真正的价值,或者它只是通过默默无闻的安全性?出于安全考虑,我是否有理由更喜欢 POST?
I realize that POST doesn't expose information on the URL, but is there any real value in that or is it just security through obscurity? Is there ever a reason that I should prefer POST when security is a concern?
通过 HTTPS,POST 数据被编码,但 URL 可以被第 3 方嗅探吗?此外,我正在处理 JSP;当使用 JSP 或类似框架时,最好的做法是避免将敏感数据放在 POST 或 GET 中,而是使用服务器端代码来处理敏感信息,这样说是否公平?
Over HTTPS, POST data is encoded, but could URLs be sniffed by a 3rd party? Additionally, I am dealing with JSP; when using JSP or a similar framework, would it be fair to say the best practice is to avoid placing sensitive data in the POST or GET altogether and using server side code to handle sensitive information instead?
推荐答案
就安全性而言,它们本质上是相同的.虽然 POST 确实不通过 URL 公开信息,但它在客户端和服务器之间的实际网络通信中公开的信息与 GET 一样多.如果您需要传递敏感信息,您的第一道防线是使用安全 HTTP 传递它.
As far as security, they are inherently the same. While it is true that POST doesn't expose information via the URL, it exposes just as much information as a GET in the actual network communication between the client and server. If you need to pass information that is sensitive, your first line of defense would be to pass it using Secure HTTP.
GET 或查询字符串帖子非常适合为特定项目添加书签或协助搜索引擎优化和索引项目所需的信息.
GET or query string posts are really good for information required for either bookmarking a particular item, or for assisting in search engine optimization and indexing items.
POST 适用于用于提交一次性数据的标准表单.我不会使用 GET 来发布实际表单,除非可能在搜索表单中您希望允许用户将查询保存在书签中,或者类似的东西.
POST is good for standard forms used to submit one time data. I wouldn't use GET for posting actual forms, unless maybe in a search form where you want to allow the user to save the query in a bookmark, or something along those lines.
这篇关于GET 或 POST 是否比另一个更安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
