GET或POST比另一个更安全吗？ [英] Is either GET or POST more secure than the other?

问题描述

将HTTP GET与HTTP POST进行比较时，从安全角度来看有什么区别？其中一个选择本质上比另一个更安全吗？如果是这样，为什么？

我意识到POST不公开URL上的信息，但是有没有真正的价值呢？是否有什么理由让我在安全问题上更喜欢POST？

编辑：

通过HTTPS， POST数据被编码，但是第三方可能会嗅到URL？另外，我正在处理JSP;当使用JSP或类似的框架时，最好的做法是避免将敏感数据放在POST或GET中，并使用服务器端代码来处理敏感信息，这是否公平？

GET或查询字符串帖子对于为特定商品添加书签或协助搜索引擎优化和索引项目所需的信息非常有用。

POST适用于提交一次数据的标准表单。我不会使用GET发布实际表单，除非在搜索表单中您希望允许用户将查询保存在书签中，或者沿着这些行。

When comparing an HTTP GET to an HTTP POST, what are the differences from a security perspective? Is one of the choices inherently more secure than the other? If so, why?

I realize that POST doesn't expose information on the URL, but is there any real value in that or is it just security through obscurity? Is there ever a reason that I should prefer POST when security is a concern?

Edit:
Over HTTPS, POST data is encoded, but could URLs be sniffed by a 3rd party? Additionally, I am dealing with JSP; when using JSP or a similar framework, would it be fair to say the best practice is to avoid placing sensitive data in the POST or GET altogether and using server side code to handle sensitive information instead?

解决方案

As far as security, they are inherently the same. While it is true that POST doesn't expose information via the URL, it exposes just as much information as a GET in the actual network communication between the client and server. If you need to pass information that is sensitive, your first line of defense would be to pass it using Secure HTTP.

GET or query string posts are really good for information required for either bookmarking a particular item, or for assisting in search engine optimization and indexing items.

POST is good for standard forms used to submit one time data. I wouldn't use GET for posting actual forms, unless maybe in a search form where you want to allow the user to save the query in a bookmark, or something along those lines.

这篇关于GET或POST比另一个更安全吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！