-1

Why its recommended to use the GET method to retrieve data in Rest API?

As everyone knows POST method is comparatively more secure and feasible to get data. Most of the designed systems use GET to retrieve since it's idempotent and "theoretically" does not alter data on the server however, nowadays most of the GET requests also create logs on the server or alter caching. I'm wondering if is it not a good practice to use POST for all API services.

Mad
  • 538
  • 1
  • 10
  • 27
  • 1
    `Post method is secure and feasible to get data.` how exactly post is more secure? – Iłya Bursov Sep 10 '22 at 16:43
  • comparatively more secure because the data is not exposed in the URL bar. Requests made through GET method are stored in Browser history etc... – Mad Sep 10 '22 at 16:47
  • it is false sense of security, ssl/https is what makes things secure, not the get/post or any other http method – Iłya Bursov Sep 10 '22 at 16:56
  • 2
    This question can be generalized to: "Why do HTTP methods exists at all if we can use POST for everything". Some APIs do, like GraphQL and SOAP. – Evert Sep 10 '22 at 18:32
  • 1
    @IłyaBursov information in the URL has a high likelihood to leak to other systems like logging systems, caches, etc. It's a pretty common security practice to not embed sensitive information in the URL. – Evert Sep 10 '22 at 18:33
  • @Evert usage of post for sensitive information does not make it secure as well, while it will not leak to "some" logging systems, it will still be sent as plain text (without ssl) – Iłya Bursov Sep 10 '22 at 19:18
  • @IłyaBursov of course you need TLS as well. – Evert Sep 10 '22 at 22:06
  • @Evert Leaking sensitive data is a security question, not an architectural question. The solution depends on the type of data, the amount of data and the risk, but it is usually not completely overriding web standards, because we know better. Designing a webservice in a way that it does not leak or encrpyting logs or limiting access to log servers and log files are a possible risk-reducing measures. Security is more about being conscious in the topic rather than inventing the Death Star for shooting a pigeon. – inf3rno Sep 12 '22 at 23:34
  • 1
    @inf3rno I was only responding to Iłya's message about HTTPS being an adequate to prevent PII leaking in urls, which is not true. It was not meant as a general reason against the using correct HTTP methods wholesale. I'm a big proponent of of HATEOAS so preaching to the choir here. – Evert Sep 13 '22 at 00:11

2 Answers2

4

Why its recommended to use the GET method to retrieve data in Rest API?

The reason that we don't use POST for everything: using a method with more specific semantics allows general purpose components within the HTTP application to do intelligent things.

Specifically for the case of GET

  1. Caching

The goal of HTTP caching is significantly improving performance by reusing a prior response message to satisfy a current request. -- RFC 9111

The response to a GET request is cacheable; a cache MAY use it to satisfy subsequent GET and HEAD requests unless otherwise indicated by the Cache-Control header field -- RFC 9110

This means both that a GET request can be served by a cache (rather than passing the request all the way through to the origin server) and that GET responses can be cached for later re-used.

Because POST is potentially unsafe (ie, edits resources), the general purpose components always have to pass the request through to the origin server. POST responses can be cached only in some cases; general purpose components can recognize these specific cases via the metadata provided by the origin server.

  1. Unlike POST, the semantics of a GET request are safe.

The purpose of distinguishing between safe and unsafe methods is to allow automated retrieval processes (spiders) and cache performance optimization (pre-fetching) to work without fear of causing harm. In addition, it allows a user agent to apply appropriate constraints on the automated use of unsafe methods when processing potentially untrusted content. -- RFC 9110

Most of the designed systems use GET to retrieve since it's idempotent and "theoretically" does not alter data on the server however, nowadays most of the GET requests also create logs on the server or alter caching.

Yes, which is why it is important to understand the distinction between safe semantics and safe implementation

HTTP does not attempt to require the results of a GET to be safe. What it does is require that the semantics of the operation be safe, and therefore it is a fault of the implementation, not the interface or the user of that interface, if anything happens as a result that causes loss of property Fielding, 2002

However I guess Its ok to use GET if only retrieval and no sensitive data on URL.

Yes - and notice that's a property of the URI/URL, not the HTTP method. A POST with sensitive information in the target-uri is no better (or worse) than the equivalent GET request.

For example; if you are creating an HTML form, and intend to collect sensitive information, then you'll use form.method POST because we don't want the browser to construct a URI with sensitive information in it.

Similarly, a URI template design that uses variable expansion for sensitive information is just asking for problems.

But this should be understood as a URI design problem, not as a necessary feature of HTTP method semantics.

VoiceOfUnreason
  • 52,766
  • 5
  • 49
  • 91
  • So what's your take on this? should REST APIs use GET for retrieval even though it's not a safe implementation? – Mad Sep 11 '22 at 04:43
  • @Mad "extraordinary claims require extraordinary evidence", and until you get that evidence what you claim is just an opinion. Even if you have evidence, you talk only about implementations which violate the standard, not about problems with the HTTP standard... – inf3rno Sep 11 '22 at 08:38
  • @inf3rno API standards are the problems for me, not HTTP standards. If you read the question I'm asking why we should use GET when we have POST. The GET method is already not secure as POST, even if you use TLS it is vulnerable. – Mad Sep 12 '22 at 02:10
  • @Mad HTTP is the standard APIs apply, there are no "API standards". – inf3rno Sep 12 '22 at 13:25
  • @inf3rno As per the topic I'm talking about REST API standards, not HTTP . therefore we are still going through rounds and round without trying to figure out whats best, However I guess Its ok to use GET if only retrieval and no sensitive data on URL. – Mad Sep 12 '22 at 15:50
  • @Mad Which standards? ODATA? – inf3rno Sep 12 '22 at 16:24
  • @Mad "The Open Data Protocol (OData) enables the creation of REST-based data services which allow resources, identified using Uniform Resource Locators (URLs) and defined in a data model, to be published and edited by Web clients using simple HTTP messages. This specification defines the core semantics and the behavioral aspects of the protocol." http://docs.oasis-open.org/odata/odata/v4.01/odata-v4.01-part1-protocol.html#_Toc31358832 – inf3rno Sep 12 '22 at 16:27
  • @inf3rno, let me know if the latest edit helps to clarify things. – VoiceOfUnreason Sep 12 '22 at 22:06
  • @VoiceOfUnreason Not really for me. I'll edit my answer too. Maybe two different points of view are okay here. :-) – inf3rno Sep 12 '22 at 22:43
  • @inf3rno thanks for the great discussion, I guess I understand what I was looking for – Mad Sep 13 '22 at 01:34
1

It is because the uniform interface constraint. The HTTP standard says that GET is for retrieving data and the uniform interface constraint says that you must follow standards. Why is the sky blue?

Fielding worked a lot on figuring out what made the web a success in the early 90's and ended up with the REST constraints, which contain everything needed, but are not too limiting. After this work he guided the HTTP 1.1, URI and HTML standards in a way to fulfill these constraints. Writing REST services is just using these standards and other standards for the things they were written for. Questioning the HTTP standard is questioning Fielding's work in the topic, which took around 5-10 years at least. Sure it can be questioned as everything, but maybe not stackoverflow is the right place to do it. https://www.ics.uci.edu/~fielding/pubs/dissertation/evaluation.htm

So if we trust the system, then it should be enough that we use GET, because REST services use the HTTP protocol and the HTTP standard writes it explicitly, that we must use GET for reading web resources:

The GET method means retrieve whatever information is identified by the Request-URI.

https://www.rfc-editor.org/rfc/rfc9110.html#name-method-definitions

As of why HTTP uses multiple methods including GET instead of a single method VoiceOfUnreason's answer contains it. In my opinion if an implementation fails to fulfill a standard, then we should fix or throw out the implementation instead of throwing out the standard. And sure you can use your POST-only standard for REST, after you are done with the standardization process which usually takes around 5 years.

Baskman
  • 75
  • 9
inf3rno
  • 24,976
  • 11
  • 115
  • 197