Related Entries

Google Visualizations quick start
SCM backed blogging - part II
SCM backed Blogging
Got linked in!
What is your excuse now?

« Portable development links
» Quick Bazaar on Windows over SSH

Do not use GET for form processing!

DON'T. Double check your form tag for explicit method="POST"

I thought everyone knew this. But recently I went to a site -- that is written by really smart Unix guys -- and was shocked to find that every single form is posted via "GET". Not "POST". This includes login form, billing information form (yes, the one with your credit card#) etc. It is absolutely insecure. Yes, the server is under HTTPS, but that is of no use here.

Why is it insecure? When you do a GET all the parameters are in the URL, in plain text. And the URL gets stamped in your browser history, web server access logs (we may be able to assume that the server is reasonably secure) and more scarily, in the logs of any proxy servers that are in the route.

I checked few proxy server logs. For example, from Squid proxy. Only the host name is stamped there, not the parameters. So that is one less worry.