Passing parameters in URL
Nobody
nobody at nowhere.com
Wed Feb 3 21:52:14 EST 2010
On Wed, 03 Feb 2010 14:09:07 -0800, Paul Rubin wrote:
>> Also, your claim of it being more risky is simply nonsense. GET is a
>> tiny bit more prone to tinkering by the average user. But calling this
>> less risky is promoting security by obscurity, at most.
>
> GET parameters also tend to get recorded in the http logs of web proxies
> and web servers while POST parameters usually aren't.
More significantly, they'll appear in the Referer: header for any link the
user follows from the page, so they're visible to anyone who can get a
link to their site onto the page (whether <a href=...>, <img src=...> or
whatever).
Even if this isn't possible at the moment, will you remember to fix it the
first time you allow an off-site link?
You should assume that anything which goes into a GET request is visible
to the entire world. Don't put anything even remotely private in there.
More information about the Python-list
mailing list