Re: GET and referer security considerations

Siew Sim:
>
[....]
>
>Also, the different with GET and POST is where the argument list
>is placed within the protocol.  Can't there be a restriction on the
>referer header to exclude the argument list?

There could be requirements on chopping off the argument list, but this
does not solve the security problem, because legacy 1.0 user agents
would not chop things off when making a referer header.

Also, the GET URL would still get logged, with its argument list, in
the history databases or log files of legacy 1.0 user agents, proxies,
and origin servers.

The only road to security on this is advising people to use POST based
forms.

>Siew

Koen.

Received on Friday, 4 July 1997 12:31:32 UTC