来源 php.net 评论区

-- nucc1

worth clarifying:

POST is not more secure than GET.

The reasons for choosing GET vs POST involve various factors such as intent of the request (are you "submitting" information?), the size of the request (there are limits to how long a URL can be, and GET parameters are sent in the URL), and how easily you want the Action to be shareable -- Example, Google Searches are GET because it makes it easy to copy and share the search query with someone else simply by sharing the URL.

Security is only a consideration here due to the fact that a GET is easier to share than a POST. Example: you don't want a password to be sent by GET, because the user might share the resulting URL and inadvertently expose their password.

However, a GET and a POST are equally easy to intercept by a well-placed malicious person if you don't deploy TLS/SSL to protect the network connection itself.

All Forms sent over HTTP (usually port 80) are insecure, and today (2017), there aren't many good reasons for a public website to not be using HTTPS (which is basically HTTP + Transport Layer Security).

As a bonus, if you use TLS  you minimise the risk of your users getting code (ADs) injected into your traffic that

--  Toasty_Pallate

It is worth noting that GET request parameters can be cached while POST request parameters are not. Meaning that if a password is GETted it is stored at various points on the way to the server (Your browser and anyone it's sharing info with, the people manning the firewall at the Org that is receiving the GET, the server logs, etc.)

While it is true that HTTPS encrypts the URL and GET request parameters, nothing guarantees that there is not a Web Application Firewall (that decrypts all traffic going into the Org for inspection) and is logging user info or that one will be implemented in the future at your org. Logs in plain-text are (hopefully) a LOT easier to compromise than a database of hashed passwords.

So if you're managing sensitive information, it's best to use POST.

随机推荐

  1. 管理现有数据库-web系统

    1 需求 现有的业务数据需要经常被展示,所以选择django作为展示工具.只需要使用django自带的admin app,然后对现有数据库进行建模就可以搞定. 2 代码 settings: DATAB ...

  2. 2017 Multi-University Training Contest - Team 1 KazaQ's Socks

    Problem Description KazaQ wears socks everyday. At the beginning, he has n pairs of socks numbered f ...

  3. ICM Technex 2017 and Codeforces Round #400 (Div. 1 + Div. 2, combined) C

    Molly Hooper has n different kinds of chemicals arranged in a line. Each of the chemicals has an aff ...

  4. GCC在windows下的配置

    http://blog.csdn.net/lan120576664/article/details/46806991 http://blog.csdn.net/shaynerain/article/d ...

  5. css未知宽度水平居中整理

    1.text-align 兼容性很好 .wp {text-align: center;} .test {display: inline;} <ul class="wp"> ...

  6. UESTC - 1544 当咸鱼也要按照基本法 组合数学 容斥原理

    http://acm.uestc.edu.cn/#/problem/show/1544 考虑一下2.2.2这样的情况.答案应该是n / 2 如果只选一个的情况下,对答案的贡献是正的,但是这里有三个,也 ...

  7. Java集合框架常见面试题

    点击关注公众号及时获取笔主最新更新文章,并可免费领取本文档配套的<Java面试突击>以及Java工程师必备学习资源. 剖析面试最常见问题之Java基础知识 说说List,Set,Map三者 ...

  8. Crusher Django 学习笔记2 基本url配置

    http://crusher-milling.blogspot.com/2013/09/crusher-django-tutorial2-conf-basic-url.html 顺便学习一下FQ Cr ...

  9. Android 仿微信朋友圈发表图片拖拽和删除功能

    朋友圈实现原理 我们使用 Android Device Monitor 来分析朋友圈发布图片的界面实现原理.如果需要分析其他应用的界面实现也是采用这种方法哦. 打开 Android Device Mo ...

  10. Spark中Java函数的使用方法笔记

    1: map 函数map是对RDD中的每个元素都执行一个指定的函数来产生一个新的RDD. 任何原RDD中的元素在新RDD中都有且只有一个元素与之对应. 2: mapPartitions函数</p ...