0

My issue: I know someone who wants to send personal information (email address, first and last name) by way of a query string to an end url. POST requests are not possible.

Is this a valid way to do this in this age of enhanced cybersecurity? I'm guessing "no", is this flat out wrong and / or frowned upon? Is this illegal? I'm trying to feed my friend valid reasons about why this is not appropriate.

KingFish
  • 8,773
  • 12
  • 53
  • 81
  • 1
    Well, names are usually pretty common so there's nothing really sensitive about them. But when coupled with an IP address or email address, its probably best to follow best practices. Also, GET's are prefetched, so the browser may submit the information even if the user does not take action (like click 'Submit'). So its probably better to use a POST. – jww Dec 01 '14 at 04:32
  • Almost same question and answer over here. http://stackoverflow.com/questions/26671599/are-security-concerns-sending-a-password-using-a-get-request-over-https-valid/26767469#26767469 – Mehmet Ince Dec 01 '14 at 09:14

1 Answers1

1

In my opinion, POST requests are NOT more secure than GET requests and the data can be easily intercepted. If you care about security of the sensitive information, you should use "https": http://en.wikipedia.org/wiki/HTTP_Secure

Edit:

The query string is also secure when using HTTPS: https://stackoverflow.com/a/323286/400552 The answer refers to other reasons why using GET might be a bad idea though.

Community
  • 1
  • 1
pshah
  • 2,052
  • 1
  • 21
  • 40
  • @iamnotmaynard The query string is secure, but there are other reasons why using GET is a bad idea. Edited the answer to include those details. – pshah Dec 01 '14 at 04:20
  • Is it really? I was wondering about that, but I thought it wasn't. Sorry. Comment retracted. – Reinstate Monica -- notmaynard Dec 01 '14 at 04:26
  • Browsers often prefetch GET links. If the information is sensitive, then you don't want the information submitted automatically with out the user taking action. So POST would probably be a better choice. – jww Dec 01 '14 at 04:33
  • @jww I agree. I already edited my answer stating that GET is a poor choice and also included a link to another SO answer that explains the reasons. – pshah Dec 01 '14 at 04:37