0

I am working with some legacy code which is using HTTPS GET Requests, and for some operations it is sending user ID from front-end to back-end. Security officer is now asking for more security i.e. encryption. Development team think it is overengineering as we are already using HTTPS, but CISO insist and even advise using POST instead of GET for requests wherever we send ID (and other sensitive data). We know that POST requests are not advised to use for getting data, although there are different opinions here and here.

Question I want to ask is: would it be better to comply with CISO and use POST instead of GET for requests or it makes more sense to additionally encrypt FE to BE request.

Nenad Bulatović
  • 7,238
  • 14
  • 83
  • 113
  • 1
    When using HTTPS using POST instead of GET would make sense in case the application is used in a web browser (-> GET request data can appear in browsing history). – Robert Jan 19 '22 at 11:09
  • @Robert Yes, and also when a get GET request is received, many servers log information about the incoming request. Most of them will log the whole requested URL including query parameters, which might include sensitive information. – Nenad Bulatović Jan 20 '22 at 07:40

0 Answers0