The use of REST APIs has increased considerably today. Almost every platform produces or consumes a REST API. REST APIs communicate with each other using HTTP methods. For example HTTP GET, HTTP POST, HTTP PUT etc.
There are many reasons for using the preferred HTTP methods for REST APIs. In this article, the definitions of HTTP GET and HTTP POST methods, their differences and why they are more secure will be discussed.
Table of Contents
What is HTTP GET
HTTP Get method is used to get data from the server. GET and POST methods are the most commonly used methods and are used to access resources on the server.
With the GET method, query texts can be sent in the URL. The most important benefit of this is that users can bookmark and send requests containing the same query later, and they can reach the same pages by calling the previous queries in the browser with the “back” button or by calling them from the browser history.
- The requests to be sent can be stored in the memory and the requests can be stored in the history by the browser and saved in bookmarks / favorites.
- Since the address bar will be used for the requests to be sent, it may be subject to length restrictions. (max 2048 characters)
- If forward and backward buttons are used in requests to be sent, action can be taken without any warning.
- In the requests to be sent, pictures, videos, audio, documents etc. multipart file content cannot exist. (application/x-www-form-urlencoded)
What is HTTP POST
It is used to print data to the server with the HTTP POST method. With this method, request parameters can be sent both in the URL and in the message body.
- Requests to be sent can never be memorized and requests can never be stored by the browser in the past, they can never be saved to bookmarks / favorites.
- Since the requests to be sent will be transmitted implicitly, they are never subject to length restrictions. (no maximum character limit)
- If forward and back buttons are used in requests to be sent, there will definitely be a warning and action will be taken according to the warning result.
- In the requests to be sent, pictures, videos, audio, documents etc. multipart file content may exist. (application/x-www-form-urlencoded & multipart/form-data)
Which one is more secure
HTTP GET method is less secure than HTTP POST method for requests to be sent. Because in requests to be sent with the HTTP GET method, it should not be used if it contains sensitive data, since all data is in a way that everyone can see. When using the HTTP GET method, requests are sent in the URL section. Since the information sent is displayed in the URL, the security risk is high, but it is faster than the HTTP POST method.
Although the fast operation of the HTTP GET method provides convenience, it is a risky method in terms of security. For example, if the requests in the order section of an e-commerce site are sent with the HTTP GET method, when a user refreshes the page or presses the back button after placing an order, he will order again, thus causing a problem for both the user and the e-commerce site.
In addition, sending sensitive parameters with the GET method, causing these sensitive information to be read, is another risk of this method.
Conclusion
Before installing HTTP methods in REST API creation processes, it is very important for security to evaluate the issues we discussed in this article. Developing your applications according to these considerations will provide a safer production experience.