Link Security Considerations
Even on a secure web page, tapping a link can result in compromised information.
There are two ways data is insecure even when you are viewing a secure web page with the browser's lock icon closed.
-
The URL in the browser's address bar is visible and not encrypted. Therefore, if the URL contains any information for the destination web page, the information will not be secure.
Here is an example URL with information:
https://example.com/page.php?person=Will&email=will@example.com
-
The server log that records the arrival of a browser at the destination web page will record the URL. If the URL contains any information, it will be recorded in the log.
For an example URL with information, see the previous list item.
The above example requests the destination web page with method GET, which is the method generally used when a link is tapped.
When the destination web page is requested with method POST instead of method GET, both of the above insecurities are eliminated.
-
With method POST, the URL in the browser's address bar contains only the protocol and domain name. With an SSL connection, any information is sent securely to the destination web page.
-
With method POST, only the protocol and domain name are recorded in the server log. Any information sent to the destination web page is not recorded in the server log.
Tapping a link to another web page generally is method GET. Submitting a form generally is method POST.
The Willmaster.com library's Posting Links article describes how to make links that submit method POST. A link with information that must be secure when tapped can be made with the information described in that article.
Usually, links don't need to be secure, even when they contain additional information. But when the information must not be compromised, sending it method POST is the prudent thing to do.
(This content first appeared in Possibilities newsletter.)
Will Bontrager
