All geek questions in one place

What is wrong with using GET to remove content?

I know this contradicts the REST architecture, but from a pragmatic point of view, what is wrong with using the GET request method to delete data from the database?

Let's say I created an application with an admin panel. Admin panel administrators can delete items by accessing the URI as follows:

/admin-panel/items-controller/remove-action/id/X

Where X is the primary key of the item to be deleted.

Are there any practical flaws in using this approach? Please enlighten me because I don’t understand why POST should be used for this.

My main problem using POST to delete data is that instead of a simple link (simple for styling in CSS) you need to print a form with a POST method next to each element and then create a style that looks like a button / link, Or I completely misunderstood?

+4
source share
3 answers

Three words: search engine spiders.

Or browser plugins that provide prefetching links for faster browsing. All types of software implicitly assume that a GET request can be made freely without negative effects. This is not just REST, the HTTP standard itself ( RFC 2616 ):

In particular, the convention was that the GET and HEAD methods SHOULD NOT have the significance of accepting anything other than search. These methods should be considered "safe." This allows the user agents to present other methods, such as POST, PUT, and DELETE, in a special way so that the user is created aware that it is possible that an unsafe action is being requested.

+9
source

Example: you are logged into your admin panel with full privileges (able to delete). I am a user with limited privileges, but with knowledge of your architecture. Therefore, I can easily give you a link to some "trusted" page, where I can put

 <img src="/admin-panel/items-controller/remove-action/id/X" width="1" height="1">

The page loads, the item is deleted because the request for the image is sent from the administrator account.

+7
source

It is very easy, through history or bookmarks, to re-enter a GET request without realizing it. If GET destroys, it can lead to an unintentional data loss. Perhaps you can be safe if your keys do not repeat, i.e. The action may just fail, but why put your application and data at risk. Destructive actions should always use either POST or DELETE, preferably the latter, although this usually requires AJAX, so you often provide support for both.

Usually I customize the form using a button, as you noticed, but then I will remove this button and replace it with a link and a click handler to force the form to be submitted via javascript. Deletion is usually done through AJAX using the DELETE verb, which updates the contents of the page in a callback. Thus, the delete action works both in browsers with and without javascript, but has enhanced functionality and style when javascript is enabled (95% + time).

+4
source

Source: https://habr.com/ru/post/1303343/

More articles:


All Articles