-1

req.params property

We can call a DELETE request by using the req.params.id by gathering URL parameters for pointing to a record by its id for example to a backend route /users/delete/id/:id

req.query property

We can call a DELETE request by using req.query.id for extracting a JSON object and send it to a backend route /users/delete?id=2 to the controller/model for a record to be deleted like {"id": "2"}

Question

What is the safest way for sending data to DELETE requests in terms of security issues that a user may take advantage of directly or indirectly considering we already have a safe login system?

Cadmos
  • 277
  • 4
  • 21
  • 2
    You wouldn't create a unique route for delete - it would be dictated by the http method (get, post, delete, patch), and typically you would use params. You also don't need "id" in the path, `/users/:id` is common. I would just follow convention here, instead of questioning the security of a common practice. – JBallin Sep 17 '22 at 16:36
  • 1
    If you want to look more into security, you can start [here](https://stackoverflow.com/a/36257442/4722345). – JBallin Sep 17 '22 at 16:43

1 Answers1

1

If you were using GET or POST then the URL and body (if it wasn't JSON) might be vulnerable to CSRF attacks, but you can't trigger a DELETE request with cross-origin code (unless explicitly granted permission with a perflight CORS request).

You aren't, so it doesn't make any difference (at least from a security perspective).

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • Expanding your answer's context, shouldn't POST be also a potential vulnerability for sending an object (JSON) to the backend? – Cadmos Sep 17 '22 at 21:04
  • @Cadmos — How could an attacker cause an authenticated user’s browser to make such a request? – Quentin Sep 17 '22 at 21:19
  • Security does not concern just attacks in its strict meaning, it could be the authenticated user to be able to manipulate transactions through his DOM and similar things if he has enough information. Just seeking potential risk I may with my knowledge ignore yet. – Cadmos Sep 17 '22 at 22:04
  • An authenticated user has complete control over what they send. The request method makes no difference. – Quentin Sep 18 '22 at 08:24
  • "of what they send" of course, but "where" do they send it? how about that info – Cadmos Sep 18 '22 at 08:50
  • An authenticated user has complete control over where they send things too. – Quentin Sep 18 '22 at 08:51