←back to thread

An illustrated guide to OAuth

(www.ducktyped.org)
354 points egonschiele | 1 comments | 25 Aug 25 12:29 UTC | HN request time: 0.206s | source
Show context
TofuLover ◴[25 Aug 25 14:40 UTC] No.45014373[source]
I don't think the part about front and back channels is quite correct. GET and POST requests are both encrypted in HTTPS -- including the URL (but not the domain, as DNS resolution happens separately). Front and back channel are more to do with trust boundaries, and what information is public vs private from the client's perspective.
replies(3): >>45014825 #>>45017066 #>>45017319 #
cathalc ◴[25 Aug 25 15:19 UTC] No.45014825[source]
Yeah this made zero sense to me - I have never seen someone consider POST secure because it can't "be seen".

Security through obscurity and all that...

replies(1): >>45017587 #
doublerabbit ◴[25 Aug 25 18:58 UTC] No.45017587[source]
Is there anyway to secure a POST request at the backend, without client side encryption?

The server processing the POST is still receiving the information posted regardless if the client is HTTPS or not.

Say, you're attempting login, the password is still received by the server and which you do with whatever when processing.

What's not stopping someone from injecting a trace on that receiving function?

In other-words, How would you secure the server processing the POST request information?

replies(1): >>45017889 #
1. BrandoElFollito ◴[25 Aug 25 19:26 UTC] No.45017889[source]
You can't. It is just a matter of reducing the risk surface. With a GET someone may add parameters, with a POST they would send the data in the post (which is often the main point of a POST).

Since all typical web servers/processors only loh the call and not the body there is a lesser probability of a leak.

I am writing this as someone who manages cybersecurity and is offering faced with not enough information in investigations because of that. This is also the reason that I used "typical" and "usually" above - it is pretty weird what people send and how they process what they receive.