[AJAX] - GET or POST ?

[Thor]

Hi when I use something like:

xhttp.open("GET", "my_file.text", true);
xhttp.send();

Is GET fine or should I always use POST? I am asking, because everyone tells me something else regarding the two and I get the feeling POST is a lot more robust, but leaves me to think it's slower than GET?

Side Note: I am just referring to AJAX usages as I always use POST for user input data.

 

[Waansin]

when to use GET or POST is pretty simple.

Any action that could cause data on the server to change should always be driven by anything other than GET. In other words, these verbs: POST, PATCH, PUT, DELETE.

Any action that is basically only a read and will not alter the data should be done with a GET. "Should" is a little bit strong, maybe "probably should" is better.

You probably need to learn more about async vs sync wrt ajax calls.

 

[Kosmik]

Hi when I use something like:

xhttp.open("GET", "my_file.text", true);
xhttp.send();

Is GET fine or should I always use POST? I am asking, because everyone tells me something else regarding the two and I get the feeling POST is a lot more robust, but leaves me to think it's slower than GET?

Side Note: I am just referring to AJAX usages as I always use POST for user input data.

That's a bit confusing. GET is used to retrieve data and POST is used to send data to the server ( normally an initial bit of data ) whereas PUT is used to update. POST would be heavier than a GET I assume because it normally carries more parameters but if the server is responding to a POST request, I think it's just interpreting a bad call correctly.

Anyway, GET to me is what should be used if you are retrieving data.

To quote W3Schools

GET or POST?
GET is simpler and faster than POST, and can be used in most cases.

However, always use POST requests when:

A cached file is not an option (update a file or database on the server).
Sending a large amount of data to the server (POST has no size limitations).
Sending user input (which can contain unknown characters), POST is more robust and secure than GET.

 

[Thor]

Sweet thank you very much!

 

[deweyzeph]

From a security point of view it's better to use POST when sending data to a server using SSL. If you use GET to send data via querystring parameters then the data you're sending will always be unencrypted in the url, even if you're using an SSL-enabled URL. When you use a POST or PUT request, the data is in the payload of the HTTP request and is encrypted when using an SSL-enabled URL. So, as per the previous posts, it's best practice to use POST or PUT when sending data to the server.

 

[Darko]

You get when you don't need to send the server anything in order to get a result.

You post when you need to send something to the server in order to get a result. Like an ID or something.

 

[rward]

You post when you need to send something to the server in order to get a result. Like an ID or something.

Not strictly true - you'd get with an id
eg. To get info for User Id 5 - GET http://xxx.com/api/user/5

to Update user Id 5 you'd POST:
POST http://xxx.com/api/user/5 post body: {name: 'user 5', surname: 'Pete', ....}

 

[Darko]

Not strictly true - you'd get with an id
eg. To get info for User Id 5 - GET http://xxx.com/api/user/5

to Update user Id 5 you'd POST:
POST http://xxx.com/api/user/5 post body: {name: 'user 5', surname: 'Pete', ....}

Cheers, yeah just wanted to simplify it down as much as possible.

 

[Sysem]

Not strictly true - you'd get with an id
eg. To get info for User Id 5 - GET http://xxx.com/api/user/5

to Update user Id 5 you'd POST:
POST http://xxx.com/api/user/5 post body: {name: 'user 5', surname: 'Pete', ....}

Or, as with some of the bad API's I've had to integrate with, you GET everything with query params. Including logins... without https....

 

[Kosmik]

Or, as with some of the bad API's I've had to integrate with, you GET everything with query params. Including logins... without https....

lovely.

 

[MagicDude4Eva]

While you are at it, remember to not forget about CSRF and that other OWASP issue where you can access anyone's customer detail after login

 

[benhart]

From a security point of view it's better to use POST when sending data to a server using SSL. If you use GET to send data via querystring parameters then the data you're sending will always be unencrypted in the url, even if you're using an SSL-enabled URL. When you use a POST or PUT request, the data is in the payload of the HTTP request and is encrypted when using an SSL-enabled URL. So, as per the previous posts, it's best practice to use POST or PUT when sending data to the server.

This is actually incorrect. SSL sets up the secure connection before the url is requested, so the querystring is encrypted along with the url. Obviously the domain is known, but that's all that can be intercepted.

You should still be cautious about what you put in the querystring, because they can leak in other ways (more likely logged, if an html page other assets, etc.)

 

[Necropolis]

While you are at it, remember to not forget about CSRF and that other OWASP issue where you can access anyone's customer detail after login

Damn hackers!