Passing parameters in URL

Diez B. Roggisch deets at nospam.web.de
Thu Feb 4 04:23:40 EST 2010


Am 04.02.10 03:52, schrieb Nobody:
> On Wed, 03 Feb 2010 14:09:07 -0800, Paul Rubin wrote:
>
>>> Also, your claim of it being more risky is simply nonsense. GET is a
>>> tiny bit more prone to tinkering by the average user. But calling this
>>> less risky is promoting security by obscurity, at most.
>>
>> GET parameters also tend to get recorded in the http logs of web proxies
>> and web servers while POST parameters usually aren't.
>
> More significantly, they'll appear in the Referer: header for any link the
> user follows from the page, so they're visible to anyone who can get a
> link to their site onto the page (whether<a href=...>,<img src=...>  or
> whatever).
>
> Even if this isn't possible at the moment, will you remember to fix it the
> first time you allow an off-site link?
>
> You should assume that anything which goes into a GET request is visible
> to the entire world. Don't put anything even remotely private in there.

You mean like

   http://www.google.de/search?q=dirty+buttsex

? Which is the key example for when to use GET - non-modifying queries.

I agree though that you have to be cautious about that, and using POST 
makes it easier to do so.

Diez



More information about the Python-list mailing list