4

As the title may possibly suggest, I'm wondering what's more secure for AJAX requests: POST or GET. I can't work out which is better because they're both hidden from the user due to the URI being sent via. AJAX, not in the URL bar.

Thanks,

James

Bojangles
  • 99,427
  • 50
  • 170
  • 208
  • Thank you all for your answers! They're all right but I can only mark the best one correct. Up votes for you all, however :) Thanks for the input people! – Bojangles Nov 24 '10 at 21:02

5 Answers5

4

Neither add any security against either man-in-the-middle attacks or the end user. Both can be intercepted and tampered with using Wireshark, Firebug, or other tools.

If you want security against interception, you can use HTTPS. That does not prevent the user from sending requests manually, though.

Matthew Flaschen
  • 278,309
  • 50
  • 514
  • 539
2

It's almost trivially easy to inspect the contents of both post and get values. Your best bet, if you do not want the user to be able to get at that data directly, is to encrypt it, and / or send it over ssl.

Matthew Vines
  • 27,253
  • 7
  • 76
  • 97
  • Encryption does not secure against the user. They can still send encrypted requests manually, and there are also tools like Fiddler making it easy to inspect HTTPS traffic. – Matthew Flaschen Nov 24 '10 at 19:15
  • I agree that the user could in theory send over encrypted requests, but hopefully your private key will not be known to them, which would make it pretty difficult to do so successfully. – Matthew Vines Nov 24 '10 at 19:19
  • V, the user will have full access to any client-side private key, whether it's a SSL client certificate, or hard-coded into JavaScript. – Matthew Flaschen Nov 24 '10 at 19:53
2

There are no security differences between POST and GET used in AJAX. They are not hidden from the user - a simple tool like Fiddler would allow the user to see those requests. the payload in both is in plain text (ie, as your script created it). The only difference is that POST payload is in the body of the request and GET payload is in the query params of the URL.

Franci Penov
  • 74,861
  • 18
  • 132
  • 169
1

They are not hidden from the user at all; install FireBug on FireFox and they are able to see the URI. Your choice of using GET and POST depends on the data sent; and if you going by REST standards, depending on the operation.

Treat an AJAX call as you would with information coming from the client through a form and through the address bar : Verify and sanctify.

Extrakun
  • 19,057
  • 21
  • 82
  • 129
1

They can view the page source and see where your target URL is and what parameters are being passed either way.

jon_darkstar
  • 16,398
  • 7
  • 29
  • 37