0

I want to add CSRF protection to my web service. and I learned I should add a token to the request. Problem is adding tokens to GET requests are very disclosive.

HTTP protocol says GET requests should be used only for retrieving. But, this doesn't mean data retrieved by GET must be safe to be seen by an attacker. I want to retrieve user specific data by GET and I don't want them to be leaked.

So, my question is which request method I should use for this purpose.

pandora2000
  • 463
  • 1
  • 4
  • 12

1 Answers1

1

It sounds like you are confusing different issues here.

First, GET methods are not more 'disclosive' in the way you seem to mean here. You are correct that GET should only be used for retrieving information, and never changing it. But that's not related to the transport security of your GET request.

If your connection is not secure and someone is 'listening' in the middle, the CSRF token is probably the very least of your problems. At any rate; transport security and Cross-Site Request Forgery aren't really related.

So, if you are worried about snooping on the connections, secure it with SSL/TLS. If not... just use the token.

Andrew Barber
  • 39,603
  • 20
  • 94
  • 123
  • Actually, I know they are not related. But I thought GET request with some security information is something unsafe. Anyway, your third point is correct, I assume GET with CSRF token is safe. Thanks. – pandora2000 Apr 02 '14 at 18:36
  • You're welcome! One point I may have given the wrong impression on due to my wording: You should still use a CSRF token even if you are using SSL/TLS. – Andrew Barber Apr 02 '14 at 18:38