Dave Watts wrote: >> We've got a 3rd party API that we call via HTTPS. They want the >> data submitted via GET (i.e. URL strings) whereas its my >> understanding that POST would be more secure. Am I correct in >> my understanding or loosing my mind? > > You are incorrect, but I doubt you're losing your mind. When you make an > HTTPS request, the entire request (including the URL you're requesting) is > encrypted. So, they are equally secure.
The only reason to prefer one over the other is that a GET should not produce lasting changes on the server and a POST is allowed to produce lasting changes (see RFC 2616). So for searching a GET is the right choice, while for changing a user profile a POST is the right choice. Browsers tend to express this difference in behaviour in the way they they treat the 'Back' button. If you press Back to the action page of a GET submit, the browser will just do it. If you press Back to the action page of a POST submit, the browser will popup with a warning and ask if you really want to resubmit. Jochem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:213136 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
