http-extensions icon indicating copy to clipboard operation
http-extensions copied to clipboard

Published 20 hours ago verified publisher icon httpwg

safe-method-w-body: mention security aspects of moving query component into body

Open reschke opened this issue 3 years ago • 3 comments

David Slik (https://lists.w3.org/Archives/Public/ietf-http-wg/2022JanMar/0081.html):

Moving query parameters from the request URI to the request body improves overall security, given that the request URI is often cached, stored, logged and otherwise potentially disclosed by intermediary systems. As a result, if PII or other sensitive information is included in the query section of an URI, it is at a higher risk when compared to when it is included in the request body.

A description of this advantage may be worth including.

reschke avatar Jan 20 '22 08:01 reschke

The security advantage mentioned here could also be viewed as a debug/development drawback because the server most of the time logs urls to have some insights on what was requested by the 'client'.

candoumbe avatar Oct 16 '22 11:10 candoumbe

Related to the discussion in #1909. I agree with @candoumbe that if any advice is given, some pros and cons of both alternatives should probably be enumerated.

asbjornu avatar Nov 03 '22 11:11 asbjornu