Jump to content

Securing ajax, GET vs POST

s0c0

By s0c0
in Application Design

 Share

Recommended Posts

s0c0 Regular Member

s0c0

Posted
Posted

I've read that using POST is not any more secure than using a GET in your xmlhttprequest object.  My company has recently deployed a point of sale system for our CSRs that is heavy on ajax and uses only GET requests. At this point all the traffic is inside our network, but there is still a bit of security concern there that I would like to address immediately, further more at some point in the near future this will be opened up to contractors and other companies to sell our products.  I am worried about these get requests sending peoples credit card information across the web.  If I were to implement POST over HTTPS would the data contained inside the POST be encrypted by SSL, is this correct?  And it would not matter if we were sending GETs over SSL since someone listening in could still view the url string, correct?

 

Please advise.

Link to comment
Share on other sites
448191 Advanced Member

448191

Posted
Posted

The way I understand, an encrypted connection between client and server is established before the query is sent. Meaning the query (thus GET data) is encrypted, and not viewable.

 

From wikipedia:

TLS Handshake in Detail

 

The TLS protocol exchanges records that encapsulate the data to be exchanged. Each record can be compressed, padded, appended with a message authentication code (MAC), or encrypted, all depending on the state of the connection. Each record has a content type field that specifies the record, a length field, and a TLS version field.

 

When the connection starts, the record encapsulates another protocol, the handshake protocol, which has content type 22.

 

A simple connection example follows:

..................<snip>

 

    * Finally, the Server sends a ChangeCipherSpec and its encrypted Finished message, and the Client performs the same decryption and verification.

 

    * At this point, the "handshake" is complete and the Application protocol is enabled, with content type of 23. Application messages exchanged between Client and Server will be encrypted.

 

The application protocol is HTTP, at least in the case of HTTPS. So TLS/SSL is between TCP and HTTP, and after there is a secure connection, the client can send a HTTP request query. So no HTTP data is ever sent unencrypted.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.