With these two methods, there’s no longer any need to ever use GET for requests internal to an application.
You may still need it for external requests, to other applications and web sites that aren’t coded to look for their
parameters as POST data, but you can’t do anything about them.
Of course, I also should mention that there’s not much security in POST unless you’re also using SSL
Hash the passwords with Phpass.
Store the hashed passwords in the database, protected to the extent possible.
Use 2FA.Prevent SQL injection with parameterized queries.
Prevent XSS by escaping all user-originated output.
Prevent CSRF with a csrftoken.
Prevent clickjacking with an
X-Frame-Optionsheader.
Use POST rather than GET.
Use SSL.
The only requests that should use GET are those that don’t do anything
You may still need it for external requests, to other applications and web sites that aren’t coded to look for their
parameters as POST data, but you can’t do anything about them.
Of course, I also should mention that there’s not much security in POST unless you’re also using SSL
Hash the passwords with Phpass.
Store the hashed passwords in the database, protected to the extent possible.
Use 2FA.Prevent SQL injection with parameterized queries.
Prevent XSS by escaping all user-originated output.
Prevent CSRF with a csrftoken.
Prevent clickjacking with an
X-Frame-Optionsheader.
Use POST rather than GET.
Use SSL.
Submitting Requests with POST
Submitting requests with POST instead of GET makes it just a bit harder
for an attacker to break in, since JavaScript has to be used and easy tricks like
coding a request in an image srcattribute won’t work. POST also prevents data like
a csrftoken from accidentally getting e-mailed or posted on a social site.
a csrftoken from accidentally getting e-mailed or posted on a social site.
The only requests that should use GET are those that don’t do anything
other than to display a page. Indeed, RFC 2612, the official specification for HTTP,
says “the convention has been established that the GET and HEAD methods
SHOULD NOT have the significance of taking an action other than retrieval.
SHOULD NOT have the significance of taking an action other than retrieval.
It’s not disallowed, just discouraged. But you should act like it’s disallowed.