Open grtjn opened 8 years ago
What's the security advantage of POST over GET? With HTTPS, URL params are encrypted...
My first thought was that is was to get url params encrypted, but they are already. Reading further in recommendations it is about reading URL params from browser cache using JavaScript. Maybe not too big an issue with read-only requests like search van values, but it does make security audits squeak..
Could I see those details from the audit? (maybe through another channel)
For extra security when running over https, request params should be avoided in url, and sent over request body whenever possible. Consider always using POST for /v1/search, /v1/values, etc..