JJ Zabkar JJ Zabkar - 17 days ago 5
HTTP Question

Should I use GET or POST when requesting sensitive data?

Should I use

GET
or
POST
for retrieving sensitive data, given that:


  • The response will contain sensitive data.

  • There are side-effects to the request (such as explicit accountability logging).



The RFC 2616, to me, doesn't clarify this for me:


9.1.1 Safe Methods

Naturally, it is not possible to ensure that the server does not generate side-effects as a result of performing a
GET
request; in fact, some dynamic resources consider that a feature. The important distinction here is that the user did not request the side-effects, so therefore cannot be held accountable for them. [...]

Answer

A step back

First of all, the RFC 2616 is obsolete. Hence, it shouldn't be used as a reference anymore.

Below you'll find the current references for the HTTP/1.1 protocol:

The safe property

Have a look at what the RFC 7231 says about safe methods:

4.2.1. Safe Methods

Request methods are considered "safe" if their defined semantics are essentially read-only; i.e., the client does not request, and does not expect, any state change on the origin server as a result of applying a safe method to a target resource. [...]

This definition of safe methods does not prevent an implementation from including behavior that is potentially harmful, that is not entirely read-only, or that causes side effects while invoking a safe method. What is important, however, is that the client did not request that additional behavior and cannot be held accountable for it. For example, most servers append request information to access log files at the completion of every response, regardless of the method, and that is considered safe even though the log storage might become full and crash the server. [...]

Of the request methods defined by this specification, the GET, HEAD, OPTIONS, and TRACE methods are defined to be safe. [...]

In the context of HTTP methods, safe is not related to security and, in a similar way, safe is not about how you deal with sensitive data. Safe means read-only.

As stated above, the use of safe methods do not prevent you from performing operations that are not read-only, such as logging the request to a file. However, this operations should be transparent for the client.

Which method should you use?

It depends on the operation you are performing. In REST APIs, the POST method is frequently used to create resources while the GET method is frequently used to request a representation of a resource.

And how about security and sensitive data?

Security is not related to the method you are using. If you want to ensure security when sending sensitive data over the wire, use HTTPS.