0

I understand when POST is required and code has been implemented accordingly. But software penetration test comes back this recommendation:

Only accept POST request for POSTing the data. The request designed for POST request should not accept the same via GET method.

So using a proxy tool, I can modify an intended "POST" into "GET", and it would go through. It would be nice that this "GET" request would be refused.

I guess my real question is how to know what requires a HTTP POST and what does not in the coding? The only thing I can think of is to have some http parameters to tag that this request has to be a "POST"? Any other options?

riceball
  • 403
  • 2
  • 15
  • What language is your application in? With PHP for example you could check `$_SERVER['REQUEST_METHOD']` to see if the request was a POST or not. Other languages should have a similar ability. – kicken Sep 25 '20 at 15:41
  • @kicken Java. Yes, I understand that part. But let's say I find that incoming request is a "GET". But how to determine it should be a "POST" ? – riceball Sep 25 '20 at 15:55
  • it's up to you to determine which method you should use for your request and write the application accordingly. For help with that, see [When do you use POST and when do you use GET?](https://stackoverflow.com/a/46614/3939512) – kicken Sep 25 '20 at 20:06
  • @kicken Got you. Thanks! – riceball Sep 26 '20 at 19:53

0 Answers0