POST - secuguru/security-terms GitHub Wiki
The HTTP POST method is used to send data to the server to create or update a resource. It is commonly used in web applications for submitting form data or transmitting large amounts of information securely.
- Purpose:
- Transmits data to the server for processing.
- Request Body:
- Data is included in the HTTP request body, not in the URL.
- Not Idempotent:
- Multiple POST requests may result in different outcomes (e.g., creating multiple resources).
- Content-Type:
- Specifies the format of the data being sent.
When submitting a form, the data is typically sent in the request body, encoded based on the form’s enctype attribute.
- application/x-www-form-urlencoded (default)
- Data is encoded as key1=value1&key2=value2 (URL-encoded).
- Example:
<form action="/submit" method="POST">
<input type="text" name="username" value="john_doe">
<input type="password" name="password" value="123456">
<button type="submit">Submit</button>
</form>
- Request Body:
username=john_doe&password=123456
- multipart/form-data
- Used for uploading files.
- Each field, including files, is sent as a separate part.
- Example:
<form action="/upload" method="POST" enctype="multipart/form-data">
<input type="file" name="file">
<button type="submit">Upload</button>
</form>
- Request Body:
Content-Disposition: form-data; name="file"; filename="example.txt"
Content-Type: text/plain
- application/json
- Data is sent in JSON format.
- Example:
fetch('/api/login', {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify({ username: "john_doe", password: "123456" })
});
- Request Body:
{
"username": "john_doe",
"password": "123456"
}
| Aspect | POST | GET |
|---|---|---|
| Data Transmission | Sent in the body of the request. | Appended to the URL as query parameters. |
| Visibility | Not visible in the URL. | Visible in the URL. |
| Length Limit | No limit on data size (theoretically). | Limited by URL length. |
| Use Case | Submitting forms, file uploads, APIs. | Retrieving data, search queries. |
| Security | More secure for sensitive data. | Less secure; data can be cached or logged. |
- Sensitive Data:
- Always use HTTPS to encrypt form data during transmission.
- Avoid sending credentials or sensitive information in plain text.
- Cross-Site Request Forgery (CSRF):
- POST requests are often targeted in CSRF attacks.
- Use CSRF tokens to validate requests.
- Input Validation:
- Validate and sanitize all incoming data to prevent attacks like SQL Injection (SQLi) and Cross-Site Scripting (XSS).
- Content-Type Validation:
- Ensure the Content-Type header matches the expected format (e.g., application/json or multipart/form-data).
- Rate Limiting:
- Limit the number of POST requests to prevent abuse (e.g., brute-force attacks).
POST /submit HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 35
username=john_doe&password=123456
HTTP/1.1 200 OK
Content-Type: text/html
<html>
<body>Form submitted successfully!</body>
</html>
- Form Submissions:
- User login, registration, contact forms, etc.
- File Uploads:
- Sending images, documents, or other files using multipart/form-data.
- API Endpoints:
- RESTful APIs often use POST to create new resources (e.g., POST /api/users).
- Transactions:
- Submitting payments, purchases, or updates to databases.
| Aspect | Details |
|---|---|
| What is POST? | HTTP method used to send data to the server. |
| Data Location | Sent in the HTTP request body. |
| Form Encodings | application/x-www-form-urlencoded, multipart/form-data, application/json. |
| Common Use Cases | Form submissions, file uploads, and API requests. |
| Security Considerations | Use HTTPS, CSRF protection, input validation, and rate limiting. |
The POST method is a critical part of web applications for securely transmitting user data and creating resources. Proper handling of form data, combined with input validation, CSRF protection, and encryption (HTTPS), ensures that POST requests remain secure and reliable.