GET and POST Security Differences

A lot of people seem to mistakenly believe that POST is more secure than GET. These people are the ones who somehow believe in security by obscurity (which doesn't exist) and don't seem to understand that by adding a simple extension to a browser the POST data can be just as easily changed as the GET data.

GET and POST serve two completely different purposes. The purpose of GET is to retrieve data from the server. It can be assumed that the data will be unchanged between multiple requests for the same data by the same browser and so the browser is allowed to cache the result returned the first time and simply present that without retrieving from the server again if the same request is repeated.

POST assumes that something is going to be changed on the server by the call and so it always gets sent to the server for processing. It can therefore also return different values when the same request is made multiple times. In fact there have been so many instances where newbies fail to cater properly for the same request being sent twice where duplication of data would occur due to failing to cater for multiple requests properly that many browsers now ask for confirmation themselves before sending the same request a second time. Had the requests been coded properly then the server code would recognise the duplicate request and deal with it properly regardless of how many times the same request is submitted.

So now that we know how the two requests compare in what they do, how does this affect security?

Well GET only accesses the server once for duplicates and so is more secure in that unnecessary requests don't get sent to the server.

GET is only retrieving data and so someone hijacking a GET request might get access to information but they can't change anything.

POST requests are often incorrectly coded on the server by newbies and so a request could easily be hijacked and duplicated multiple times bypassing the check built into the browser and resulting in multiple duplicates being actually processed.

So while the basic security of both access methods starts out the same (in that both can just as easily be modified before sending and both can be as easily modified during sending) the different purpose that the two serve basically means that GET is a far more secure method than POST simply because POST is the one that allows changes to be made.


This article written by Stephen Chapman, Felgall Pty Ltd.

go to top

FaceBook Follow
Twitter Follow