0

I Have an API which fetches data for a particular user based on the supplied User ID. Since I am only fetching the data from a DB, I have made this API use GET Requests.

URL : https://ui.sms.co.in:8443/config/v1/camp
HTTP Method: GET
Request Parameters:
type:1
userId:1000
startDate:2019-05-28
endDate:2019-05-28

After Reading from various Websites, I found that I should not expose UserId in the URL and I should change the API from using GET to POST. By making it POST, I will not be exposing any data in the URL, but I don't want to make it POST since I am not creating any resource. Should I make it POST; would that be wise?

Agi Hammerthief
  • 2,114
  • 1
  • 22
  • 38
AshishUpadhyay
  • 179
  • 1
  • 15
  • 1
    rule of thumb is to not put sensitive data in GET parameters. are user id numbers sensitive information? make it a POST instead. by the way, user ids are usually not sensitive, for example your StackOverflow user ID is 8523074. my own is 1067003. – hanshenrik Jun 26 '19 at 07:11
  • Are you not [confusing `POST` with `PUT`](https://stackoverflow.com/questions/107390/whats-the-difference-between-a-post-and-a-put-http-request)? It's perfectly fine (and recommended) to [`POST` (potentially) sensitive data such as user IDs](https://stackoverflow.com/questions/504947/when-should-i-use-get-or-post-method-whats-the-difference-between-them) and login credentials. – Agi Hammerthief Jun 26 '19 at 07:13
  • @hanshenrik it's a business requirement. i cannot expose userId – AshishUpadhyay Jun 26 '19 at 07:22
  • @AshishUpadhyay then make it a POST request, do not put it in the URL. – hanshenrik Jun 26 '19 at 07:23
  • You cannot expose the userid specifically, or you cannot expose any unique identifying property of a user at all? If the former, use `GET` with an arbitrary unique identifier, such as a UUID. – Eric Stein Jun 26 '19 at 15:17

0 Answers0