In some previous Arduino guide, we used HTTP POST method to upload sensor data. What is HTTP POST? HTTP POST is used to send data to a server to create or update a resource where the URL already existing. In the same way, we used HTTP GET with WordPress, HTTP PUT with OpenStack Swift. First, we need to understand what is HTTP POST, second we need to know basic difference with simillar methods such as HTTP PUT and HTTP PATCH. The relevant specification for PUT and POST is RFC 2616 §9.5ff :
1 | https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.5 |
There are times when HTTP GET is less suitable even for data retrieval.
The HTTP GET request method retrieves information from the server and that is commonly used by the browsers. HTTP POST is a request method where a web server accepts the data enclosed in the body of the request message, most likely for storing it. It is often used when uploading a file or when submitting a completed web form.
An arbitrary amount of data of any type can be sent to the server in the body of the request message. A header field in the POST request usually indicates the message body’s media type.
HTTP POST to a URL creates a child resource at a server defined URL.
HTTP PUT to a URL creates/replaces the resource in its entirety at the client defined URL.
HTTP PATCH to a URL updates part of the resource at that client defined URL.
HTTP OPTIONS to a URL requests to return data describing what other methods and operations the server supports at the given URL.
---
HTTP POST creates a child resource, so POST to /items creates a resources that lives under the /items resource. HTTP PUT is for creating or replacing a resource at a URL known by the client. PUT is only a candidate for CREATE where the client already knows the url before the resource is created. PUT is idempotent: calling it once or several times successively has the same effect (that is no side effect), where successive identical POST may have additional effects, like passing an order several times.
Now for accepting HTTP POST on own server. HTTP POST is a little unsafe. With improper permission of server directories, it is possible to upload a Javascript based web console by an unauthorized and manipulate the server. For those reasons, chown, chgrp, chmod are given huge importance to the newbie users. That thing not only for GET.
1 2 | illustration by https://www.geeksforgeeks.org/get-post-requests-using-python/ Which is a good resource on this topic for Python |
HTTP POST is not encrypted, it can be intercepted by a network sniffer, by a proxy or leaked in the logs of the server with a customised logging level. POST just puts the information in a different place (request message body) than GET (url). Some people feel like the latter exposes more information, which is true for some points. POST is better than GET because POST data is not usualy logged by a proxy or server, but it is not secure. To secure a password or other confidential data you must use SSL or encrypt the data before you POST. Another option would be to use Digest Authentication with the browser. Encryption is not enough to prevent replay attacks, you must concatenate a nonce and other data (eg. realm) before encrypting.
As for WordPress, Perishable Press has a good article to protect from malicious HTTP POST requests :
1 | https://perishablepress.com/protect-post-requests/ |
Tagged With #* @http_post /predict , https://thecustomizewindows com/2019/03/what-is-http-post-method/ , python request()
