0

I have a service that elaborates data sent to it in Headers. I use GET requests to send and receive back the elaborate data.

An example is:

  const Http = new XMLHttpRequest();
  const url = "https://myendpoint.com";
  const method = "GET";

  Http.open(method, url, true);

  Http.setRequestHeader("Costum_Data_1", "my_costum_data_1");
  Http.setRequestHeader("Costum_Data_2", "my_costum_data_2");

I know that there's the POST method but, from a security point of view, sending data like that is ok?

UnsanitizedInput
  • 129
  • 10
NicoCaldo
  • 1,171
  • 13
  • 25
  • You will get a preflight and you will need to handle option requests on the server – mplungjan Apr 12 '23 at 14:07
  • "OK" is largely a matter of opinion. It's *weird*. It loses many of the benefits of using GET. GET might not be the right choice of method in the first place. – Quentin Apr 12 '23 at 14:11
  • If the backend is a C# controller it changes how the backend retrieves that value. It would have to be fetched from the Request.Headers["my_custum_data_1"] Where something included in the body of the post could be used in the controller method parameters: [FromBody] List fields for example – TheEvilMetal Apr 12 '23 at 14:11
  • @TheEvilMetal — GET requests shouldn't (and, when sent via `XMLHttpRequest`, **can't**) have bodies. – Quentin Apr 12 '23 at 14:11
  • @TheEvilMetal The backend is an edge function in JS. Yeah, I know how to handle it on the backend, I was just curious if that was the way to go in terms of security and best practice. – NicoCaldo Apr 12 '23 at 14:24

0 Answers0