re: RESTful without HTTP Verbs VIEW POST

TOP OF THREAD FULL DISCUSSION
re: Fair point on the destination server. What about the hops between? And to clarify, the question of server log content only began the thought proce...

I would question why the little bit of information that may appear in server logs may in any way lead to breaches of any sort in the first place. If your security depends on the exact URL structure of your server being secret, your security is non-existent.

"Hops in between" for HTTP that matter at all to this discussion would only include SSL-terminating HTTP proxies, and they can log the fully payload if their operators so desired and there's nothing you could do about that. Presumably any such proxies would be fully trusted by either the server or the client or both. So for our purposes, intermediate hops are irrelevant.

Thought that encryption applied to the POST payload, but not the information appearing along with the URL (GET parameters?).

Encryption is only applicable in end-to-end scenarios, in which case intermediate hops are totally irrelevant - you either don't have them at all, or they're just TCP proxies / IP routers which see nothing but the TCP/IP headers.

If you have a ssl-terminating proxy (i.e., it intercepts your SSL traffic and re-encrypts it to relay it to the final destination) it can log everything.

There's nothing in between.

code of conduct - report abuse