1

Recently I have attended a training in mvc. The trainer said that - As per the security concerns we have to use HttpPost instead of HttpGet. Always use HttpPost.

Can anyone explain - what is the security issue when we use HttpGet?

Dev Try
  • 211
  • 2
  • 14
  • 2
    The risk of using GET for actions is: Click here! Also, the fact that you'll trigger the action again after leaving the page then pressing the back button of your browser – Kevin Gosse Jun 30 '16 at 10:54
  • 3
    See this post for a bit of information on the subject http://stackoverflow.com/questions/2080863/what-is-the-difference-between-a-http-get-and-http-post-and-why-is-http-post-wea – Ben Jones Jun 30 '16 at 10:58
  • 1
    HttpGet should be used only with the urls called from the address bar. All the button and link clicks should be called using HttpPost. Bcoz for e.g :'www.users.com/user/getinfo/4' gets data for id 4. In this case, user can easily get data for other users by simply passing different id to the urls. – Shashank Sood Jun 30 '16 at 11:05
  • I am still trying to figure out why this question was downvoted? This is such a common misconception on how GET and POST really work under the hood. So many people from from WebForms where everything is handled and when they make the switch to MVC it's like being handed the keys to a Lambo and they get overwhelmed. – Kevin B Burns Jun 30 '16 at 12:44

2 Answers2

3

When transmitting data over secure connection (https) body of the post request is encrypted and practically undreadable, you can only see address where data is going but not the data itself. Get on the other hand has no body and data has to be transmitted in either query string or as a path parameter. While it is true that query string does get encrypted as well, due to request logging on the server and browser it is possible to get hold of that data.

chehh984
  • 121
  • 4
3

Anyone can insert image on public forum or stackoverflow with link to your web-site. Then happens next:

  1. Browser looks at url in image tag
  2. Browser find cookies corresponding to domain in url
  3. Browser sends request to url with cookies of user
  4. Your server performs action
  5. Browser tries to parse response as image and fails
  6. Browser renders error instead of image

But if you mark your action as Http Post only then this scenario isn't applicable for 90% of sites. But you should also consider that if hacker can create a form on other web-site then he still can make browser to perform request. So you need CSRF. Well, browsers made a lot to prevent cross-site requests, but it's still possible in some scenarios.

Viktor Lova
  • 4,776
  • 2
  • 19
  • 25