How secure are POST values?

Question

I'm creating an API for my web application, and I have some questions about how I should be passing data such as API keys and passwords without them being intercepted by a third party. Right now they are being passed using the GET method, but to my understanding, the GET method is not very secure. Would POST be a better way to pass data, or is there another way I should use?

possible duplicate of [When should I use GET or POST method? What's the difference between them?](http://stackoverflow.com/questions/504947/when-should-i-use-get-or-post-method-whats-the-difference-between-them) — 0x5C91, Feb 05 '14 at 14:40

score 2 · Answer 1 · answered Feb 05 '14 at 13:38

2

POST is as insecure as GET is. Both could be sniffed, if they are send via an unsecured channel. So the really important thing is that you are sending the data encrypted over HTTPS.

answered Feb 05 '14 at 13:38

Flixer

938
1
7
20

0x5C91 · Answer 2 · 2016-01-27T11:52:19.540

There really isn't much difference, both are sent in clear. W3Schools provides a good explanation about the use that has been thought for each method. You can see at the link that a POST request is not really hidden: although the variables are not visible in the URL, they are still part of the HTTP message. However, in the comparative table I linked, GET is listed as less secure than POST. It might be trivial, but it is recommended to never send content like passwords over GET, as they would appear in clear even in the browser history or in web server logs.

All in all, use POST and GET according to the suggestions provided at the link. For secure communication, however, rely on encryption, for example by using TLS.

score 0 · Answer 3 · answered Feb 05 '14 at 13:40

It isn't so much GET vs POST to secure your app, if a attacker has access to the stream he can see the variables either way.

You should be sending the data over HTTPS, which encrypts data both ways and (if implemented correctly) means that only the client and server can see what data is being passed.

Ferrakkem Bhuiyan · Answer 4 · 2014-02-05T13:58:19.193

POST is more secure than GET for a couple of reasons
1.Parameters are not saved in browser history
2 Can not be bookmarked.
3.The browser usually alerts the user that data will need to be re-submitted.
4.multipart/form-data or application/x-www-form-urlencoded Use multipart encoding for binary data.
5.Can send parameters, including uploading files, to the server
**6.More difficult to hack**
7.No restrictions. Binary data is also allowed.
8.POST method variables are not displayed in the URL.
9.Not cached
10.8 Mb max size for the POST method

So Post values are secure

How secure are POST values?

4 Answers4