来源 php.net 评论区

-- nucc1

worth clarifying:

POST is not more secure than GET.

The reasons for choosing GET vs POST involve various factors such as intent of the request (are you "submitting" information?), the size of the request (there are limits to how long a URL can be, and GET parameters are sent in the URL), and how easily you want the Action to be shareable -- Example, Google Searches are GET because it makes it easy to copy and share the search query with someone else simply by sharing the URL.

Security is only a consideration here due to the fact that a GET is easier to share than a POST. Example: you don't want a password to be sent by GET, because the user might share the resulting URL and inadvertently expose their password.

However, a GET and a POST are equally easy to intercept by a well-placed malicious person if you don't deploy TLS/SSL to protect the network connection itself.

All Forms sent over HTTP (usually port 80) are insecure, and today (2017), there aren't many good reasons for a public website to not be using HTTPS (which is basically HTTP + Transport Layer Security).

As a bonus, if you use TLS  you minimise the risk of your users getting code (ADs) injected into your traffic that

--  Toasty_Pallate

It is worth noting that GET request parameters can be cached while POST request parameters are not. Meaning that if a password is GETted it is stored at various points on the way to the server (Your browser and anyone it's sharing info with, the people manning the firewall at the Org that is receiving the GET, the server logs, etc.)

While it is true that HTTPS encrypts the URL and GET request parameters, nothing guarantees that there is not a Web Application Firewall (that decrypts all traffic going into the Org for inspection) and is logging user info or that one will be implemented in the future at your org. Logs in plain-text are (hopefully) a LOT easier to compromise than a database of hashed passwords.

So if you're managing sensitive information, it's best to use POST.

随机推荐

  1. time库的使用

    首先只需要 import time (典型的,标准的python库的使用方法) 主要包括三类函数 ——时间获取:time() , ctime() , gmtime() ——时间格式化: strftim ...

  2. FONT 字体颜色大全

    用这句代码 替换 AmericanTypewriter-Bold字段就会有不同的字体样式 _typeLabel.font = [UIFont fontWithName:]; Font Family: ...

  3. Zynq7000开发系列-1(Vivado HLx 2016.4下载及安装)

    一.下载 1.访问Xilinx官方网站:www.xilinx.com,注册帐号并完善个人信息 2.点击以下选项进入下载页面:Support -> Downloads & Licensin ...

  4. Windows下打开某些软件时显示显卡驱动不是最新的问题

    在Windows下打开某些对显卡要求比较高的软件时,会出现某些显卡驱动不是最新,要求更新到最新的提示,但是当你真的去更新显卡驱动的时候,却发现现在的显卡驱动已经是最新了,那么为什么还会有这样的提示呢, ...

  5. corn表达式 经典

    https://www.cnblogs.com/GarfieldTom/p/3746290.html

  6. UEditor的KityFormula在IIS中部署,显示不了的解决方案

    在此,首先感谢我的同事,找到了问题所在. 因Web项目中需要有输入公式的功能(高等数学中需要),普通公式插件无法满足,所以找了KityFormula这款插件. 看了下里面的公式,在数学方面确实比较全面 ...

  7. datetimepicker 插件位置问题解决经验

    使用dadetimepicker进行时间选择是个很不错的选择,但是美中不足的是该插件在chrome中显示弹框的时候有时会出现位置错位的现象,而在IE中则没有这种现象,视图如图1 图1 查阅了网上的资料 ...

  8. 借助Code Splitting 提升单页面应用性能

    近日的工作集中于一个单页面应用(Single-page application),在项目中尝试了闻名已久的Code splitting,收获极大,特此分享. Why we need code spli ...

  9. Objective-C Protocols

    Objective-C allows you to define protocols, which declare the methods expected to be used for a part ...

  10. iOS组件化开发· 什么是组件化

    越来越多公司,开始了组件化,你还要等到什么时候...... 说到开发模式,我们最熟知的开发模式 MVC 或者最近比较热门的MVVM.但是我今天说的组件化的开发,其实MVC不是一类的.它其实是····· ...