DEV Community

Discussion on: RESTful without HTTP Verbs

Collapse
 
carywreams profile image
Cary Reams

Fair point on the destination server.
What about the hops between?
And to clarify, the question of server log content only began the thought process; it's not a motivating factor for making a change.

Thread Thread
 
deceze profile image
David Zentgraf

I would question why the little bit of information that may appear in server logs may in any way lead to breaches of any sort in the first place. If your security depends on the exact URL structure of your server being secret, your security is non-existent.

Thread Thread
 
aggieben profile image
Ben Collins

"Hops in between" for HTTP that matter at all to this discussion would only include SSL-terminating HTTP proxies, and they can log the fully payload if their operators so desired and there's nothing you could do about that. Presumably any such proxies would be fully trusted by either the server or the client or both. So for our purposes, intermediate hops are irrelevant.

Thread Thread
 
carywreams profile image
Cary Reams

Thought that encryption applied to the POST payload, but not the information appearing along with the URL (GET parameters?).

Thread Thread
 
aggieben profile image
Ben Collins

Encryption is only applicable in end-to-end scenarios, in which case intermediate hops are totally irrelevant - you either don't have them at all, or they're just TCP proxies / IP routers which see nothing but the TCP/IP headers.

If you have a ssl-terminating proxy (i.e., it intercepts your SSL traffic and re-encrypts it to relay it to the final destination) it can log everything.

There's nothing in between.