Databases
StackOverflow2013
Postsdbo
POShould I accept the POST method on all resources?
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POShould I accept the POST method on all resources?
    primarykey
    data
    text
    <p><em>In this question I'm talking about HTTP request methods. For a detailed explanation of HTTP request methods see <a href="http://www.w3.org/Protocols/rfc2616/rfc2616.html" rel="nofollow">RFC 2616</a>, especially Section 5.1.1 and Section 9.</em></p> <p>The usual way to request a resource (URI, URL, web page) is the GET method (or HEAD if you only want the headers).</p> <p>Usually, the POST method is only used if data, that is sent by the client to the server, should not appear in the URI. Account names and passwords, or other sensitive form data, are often transmitted this way. (Of course, you'd still need SSL, as this alone provides no encryption.)</p> <p>Most of my resources (URIs) do not need the POST method. For example, pages that contain my articles should be retrieved by GET. Examples of proper request lines:</p> <pre><code>GET /myarticles HTTP/1.1 GET /copyrightnotice HTTP/1.1 GET /blog/2011/03/14/something.html HTTP/1.1 </code></pre> <p>The only ones that need POST are login pages (where the account and password that have been entered into a form are sent in the POST body) and certain other special pages. Examples:</p> <pre><code>POST /performlogin HTTP/1.1 POST /formtarget HTTP/1.1 POST /savevote HTTP/1.1 </code></pre> <p>My question is, should I disallow the POST method on pages that do not need it (like /myarticles, /copyrightnotice, etc)?</p> <p>In other words, if I get this request line:</p> <pre><code>POST /blog/2011/03/14/something.html HTTP/1.1 </code></pre> <p>should I</p> <p>a) send a 405 (Method not allowed) error code back, together with an Allow: header, like this:</p> <pre><code>HTTP/1.1 405 Method Not Allowed Allow: GET, HEAD Date: ... </code></pre> <p>b) -OR- should I simply treat the POST request as if it was a GET request?</p> <pre><code>HTTP/1.1 200 OK Date: ... HTML-content-here </code></pre> <p>Does it matter, or is it completely up to me? Are there any caveats/security risks when using option b)? I'm trying to stay as much standards compliant as possible.</p>
    singulars
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. PTQuestion
    1. This table or related slice is empty.
    1. USPressF1ForHelp
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    2. PO
      singulars
      1. PTAnswer
    3. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POShould I accept the POST method on all resources?
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. POShould I accept the POST method on all resources?
      1. This table or related slice is empty.
      1. VTUpMod
    1. This table or related slice is empty.
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload