-2

Which is more secure between @RequestParam and @RequestBody in Spring Framework application?

I am using @PostMapping in backend. I am using @RequestParam as well as @RequestBody.

@RequestParam for few request parameters, one or two.

@RequestBody for large request as an object with multiple fields.

Thanks in advance.

Victor M Perez
  • 2,185
  • 3
  • 19
  • 22
Nabin Kumar Khatiwada
  • 1,546
  • 18
  • 19
  • I think they're used for completely different purposes – Victor M Perez Mar 22 '18 at 14:26
  • Define "secure" in this context. – takendarkk Mar 22 '18 at 14:26
  • Secure - Not easily intercepted or hacked – Nabin Kumar Khatiwada Mar 22 '18 at 14:27
  • 3
    Possible duplicate of [What is difference between @RequestBody and @RequestParam?](https://stackoverflow.com/questions/28039709/what-is-difference-between-requestbody-and-requestparam) – Kepotx Mar 22 '18 at 14:30
  • I already read that. There is no mention of security anywhere. So, is it nothing to do with security whichever we use? – Nabin Kumar Khatiwada Mar 22 '18 at 14:33
  • 1
    Assuming SSL, while **in transit** it doesn't matter. However, consider a URL such as `https://example.com/login?userId=jdoe&password=god`. This URL will be in the browser history, and could also be bookmarked, so easily visible to anybody that gains access to the same device. Also, some systems will log the URL for auditing purposes inadvertently exposing sensitive data. – Andrew S Mar 22 '18 at 14:34

1 Answers1

0

To be honest there shouldn't be much difference if we consider security aside from what Andrew already mentioned. I just want to add, that using RequestParam for POST calls is rather a bad practice. I think you should pay more attention to which request method you are using and consider overall structure of your REST API.

K. Palka
  • 11
  • 3