`
小杨学JAVA
  • 浏览: 882099 次
  • 性别: Icon_minigender_1
  • 来自: 上海
社区版块
存档分类
最新评论

http https get post 的区别,定义/安全性/性能

    博客分类:
  • http
 
阅读更多

转:http://cuishen.iteye.com/blog/2019925

HTTP / HTTPS request 的 get / post 方法的区别: 

A. 定义及安全性的区别: 
refer: 
http://blog.csdn.net/csj50/article/details/5687850 
http://www.cnblogs.com/hyddd/archive/2009/03/31/1426026.html 

B. 性能区别: 
据Yahoo mail team 说: post方法在AJAX 请求下会被拆分成两个: sending header first, then sending data; 

逆向思维: post的请求如果没有data string,那么性能上应该和get是相同的。 

refer: 
http://developer.yahoo.com/performance/rules.html#ajax_get 

引用
The Yahoo! Mail team found that when using XMLHttpRequest, POST is implemented in the browsers as a two-step process: sending the headers first, then sending data. So it's best to use GET, which only takes one TCP packet to send (unless you have a lot of cookies). The maximum URL length in IE is 2K, so if you send more than 2K data you might not be able to use GET. 

An interesting side affect is that POST without actually posting any data behaves like GET. Based on the HTTP specs, GET is meant for retrieving information, so it makes sense (semantically) to use GET when you're only requesting data, as opposed to sending data to be stored server-side. 



C. 安全性扩展 
据说在https下除了URL中host path (e.g. "https://cuishen.iteye.com/blog/2017537" 中的"cuishen.iteye.com") 部分是明文的,其他任何请求内容/应答都是加密的,所以从这个角度讲: 相对http GET而言,https下的GET方法更安全些,至少黑客在监听信道的时候只能拿到密文; 

但是因为GET方法的URL会出现在浏览器的address bar和history里面(https下也是这样),所以依然是个安全隐患。 

所以说,在四种组合下面,https + post是最安全的组合! 

refer: 
http://stackoverflow.com/questions/499591/are-https-urls-encrypted 
http://www.cnblogs.com/zhuqil/archive/2012/07/23/2604572.html 


-------------------- 
Add some founding: 

尽管AJAX下的https GET请求的URL不会被记录在browser的history里面,但是会被记录在Firefox的memory cache里面: 

try below URL in Firefox: 

Java代码  收藏代码
  1. about:cache?device=memory  


POST方法则不会!! 
So, 在一些安全性要求比较高的场合,还是尽量避免使用GET方法吧! 

分享到:
评论

相关推荐

Global site tag (gtag.js) - Google Analytics