Re: GET and referer security considerations

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Yaron Goland: "RE: HTTP/1.1 & Proxies"
• Previous message: Henrik Frystyk Nielsen: "Re: HTTP/1.1 & Proxies"
• In reply to: Koen Holtman: "GET and referer security considerations"
• Next in thread: David W. Morris: "Re: GET and referer security considerations"
• Reply: David W. Morris: "Re: GET and referer security considerations"

>>>>> "KH" == Koen Holtman <koen@win.tue.nl> writes:

KH> - Web servers SHOULD NOT use GET based forms for the submission
KH>   of sensitive data, because this will cause this data to be encoded in
KH>   the request URI, and many existing servers, proxies, and user agents
KH>   will log the request URI in some place where it may be visible to
KH>   third parties.  Servers can use POST based form submission instead.

  This is just the latest of a number of suggestions lately that are
  based on the idea that a 'server' can protect users from various
  insecure or otherwise inadvisable practices.  The _server_ cannot
  know whether or not a form contains 'sensitive' data; only the
  application designer (the one who wrote the form) and perhaps the
  user know that.

  The world may need a Best Current Practices RFC to advise
  application designers on how to avoid problems like the one Koen
  cites, but no HTTP server can stop them, and the specification
  should not be muddied with requirements which can neither be
  implemented nor tested.

--
Scott Lawrence           EmWeb Embedded Server       <lawrence@agranat.com>
Agranat Systems, Inc.        Engineering            http://www.agranat.com/

• Next message: Yaron Goland: "RE: HTTP/1.1 & Proxies"
• Previous message: Henrik Frystyk Nielsen: "Re: HTTP/1.1 & Proxies"
• In reply to: Koen Holtman: "GET and referer security considerations"
• Next in thread: David W. Morris: "Re: GET and referer security considerations"
• Reply: David W. Morris: "Re: GET and referer security considerations"