1

I am confused regarding security concerns about login using username and password of my API.

I just want to know, if I use POST method for login API, then is it safer than GET method?

In other words, which method is preferred for login API GET or POST?

Amr Eladawy
  • 4,193
  • 7
  • 34
  • 52
Abhijeet Prasad
  • 97
  • 1
  • 1
  • 7
  • 1
    Makes no real odds with regards to security; but the HTTP methods should refer to specific actions: GET - retrieve a resource, POST - update a resource; PUT - create a resource; DELETE - well, DELETE a resource : https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods – CD001 May 12 '17 at 09:53
  • 1
    @CD001 CRUD model is a good thing indeed, so POST is obvious in this case. Also I prefer to use POST since of GET prefetch on certain browsers that 'guess' which page you might visit. Also, don't forget to secure it with HTTPS if you can set it up ;) Edit : See http://stackoverflow.com/a/14587231/2435443 – Sir McPotato May 12 '17 at 09:53

2 Answers2

1

The following table compares the two HTTP methods: GET and POST.

enter image description here

Osama
  • 2,912
  • 1
  • 12
  • 15
  • thank u for your answer, but someone in my company say that , data is sent in body in post request, so that's why username and password is visible in this type ... is it right ? – Abhijeet Prasad May 12 '17 at 10:50
  • he say use GET method instead of POST method, and pass the username and password in header of GET method. is this method is more safe then using POST method ?? – Abhijeet Prasad May 12 '17 at 10:50
  • @Abhijeet Prasad yes, post data is sent in body of the HTTP request , but that doen't make GET safer than POST . If you are concearned about security , then you should use HTTPS . If you're using firefox you can use [https everywhere](https://addons.mozilla.org/en-US/firefox/addon/https-everywhere/) – t.m.adam May 12 '17 at 11:00
  • @Osama oky, using POST method , is username and password is visible in google chrome developer mode in Network-Header tab ? – Abhijeet Prasad May 12 '17 at 11:34
  • compare it to the case that is visible in url in all browser , my friend no way post method is best than get method and both of them required more validation before use (what is your opinion about that ? ) – Osama May 12 '17 at 11:40
  • Osama if you mean POST is safer than GET, you're right . @Abhijeet Prasad GET query string is also visible in the network tab . – t.m.adam May 12 '17 at 12:07
  • hi why you deselect my answer is there anything wrong – Osama May 12 '17 at 15:25
0

POST is more secure than GET, because you aren't showing information anywhere. And so using GET as the method for an HTML form that collects a password or other sensitive information is not the best idea.

And Yes POST can transfer huge information than GET.

You need a api application such as postman extension for chrome to work with.

Pratik Sharma
  • 32
  • 5
  • thank u for your answer, but someone in my company say that , data is sent in body in post request, so that's why username and password is visible in this type ... is it right ? – Abhijeet Prasad May 12 '17 at 10:45
  • he say use GET method instead of POST method, and pass the username and password in header of GET method. is this method is more safe then using POST method ?? – Abhijeet Prasad May 12 '17 at 10:50
  • data is sent in body in post request, so that's why username and password is visible in this type (this is right if you print them) , while with get method data will be visible in the url , both methods need extra validation so it is up to you if you want data to appear in the url or not – Osama May 12 '17 at 11:04
  • oky, using POST method , is username and password is visible in google chrome developer mode in Network-Header tab ? – Abhijeet Prasad May 12 '17 at 11:23