What ‘sensitive information’ could be disclosed when setting JsonRequestBehavior to AllowGet
in your return use the following: return this.Json(“you result”, JsonRequestBehavior.AllowGet);
in your return use the following: return this.Json(“you result”, JsonRequestBehavior.AllowGet);
The entire request is encrypted, including the URL, and even the command (GET). The only thing an intervening party such as a proxy server can glean is the destination address and port. Note, however, that the Client Hello packet of a TLS handshake can advertise the fully qualified domain name in plaintext via the SNI … Read more
Not in the RFC, no, but there are practical limits. The HTTP protocol does not place any a priori limit on the length of a URI. Servers MUST be able to handle the URI of any resource they serve, and SHOULD be able to handle URIs of unbounded length if they provide GET-based forms that … Read more
Angular’s $http has a cache built in. According to the docs: cache – {boolean|Object} – A boolean value or object created with $cacheFactory to enable or disable caching of the HTTP response. See $http Caching for more information. Boolean value So you can set cache to true in its options: $http.get(url, { cache: true}).success(…); or, … Read more
Isn’t that what hidden parameters are for to start with…? <form action=”http://www.example.com” method=”GET”> <input type=”hidden” name=”a” value=”1″ /> <input type=”hidden” name=”b” value=”2″ /> <input type=”hidden” name=”c” value=”3″ /> <input type=”submit” /> </form> I wouldn’t count on any browser retaining any existing query string in the action URL. As the specifications (RFC1866, page 46; HTML 4.x … Read more
According to MDN, Preflighted requests Unlike simple requests (discussed above), “preflighted” requests first send an HTTP OPTIONS request header to the resource on the other domain, in order to determine whether the actual request is safe to send. Cross-site requests are preflighted like this since they may have implications to user data. In particular, a … Read more
Use POST for destructive actions such as creation (I’m aware of the irony), editing, and deletion, because you can’t hit a POST action in the address bar of your browser. Use GET when it’s safe to allow a person to call an action. So a URL like: http://myblog.org/admin/posts/delete/357 Should bring you to a confirmation page, … Read more
Yes. The querystring is also encrypted with SSL. Nevertheless, as this article shows, it isn’t a good idea to put sensitive information in the URL. For example: URLs are stored in web server logs – typically the whole URL of each request is stored in a server log. This means that any sensitive data in … Read more
I’m going to have to say curl http://127.0.0.1:8000 -o outfile
Browsers (and Dashcode) provide an XMLHttpRequest object which can be used to make HTTP requests from JavaScript: function httpGet(theUrl) { var xmlHttp = new XMLHttpRequest(); xmlHttp.open( “GET”, theUrl, false ); // false for synchronous request xmlHttp.send( null ); return xmlHttp.responseText; } However, synchronous requests are discouraged and will generate a warning along the lines of: … Read more