Yes. The querystring is also encrypted with SSL. Nevertheless, as this article shows, it isn’t a good idea to put sensitive information in the URL. For example: URLs are stored in web server logs – typically the whole URL of each request is stored in a server log. This means that any sensitive data in … Read more
According to MDN, Preflighted requests Unlike simple requests (discussed above), “preflighted” requests first send an HTTP OPTIONS request header to the resource on the other domain, in order to determine whether the actual request is safe to send. Cross-site requests are preflighted like this since they may have implications to user data. In particular, a … Read more
Use POST for destructive actions such as creation (I’m aware of the irony), editing, and deletion, because you can’t hit a POST action in the address bar of your browser. Use GET when it’s safe to allow a person to call an action. So a URL like: http://myblog.org/admin/posts/delete/357 Should bring you to a confirmation page, … Read more
Browsers (and Dashcode) provide an XMLHttpRequest object which can be used to make HTTP requests from JavaScript: function httpGet(theUrl) { var xmlHttp = new XMLHttpRequest(); xmlHttp.open( “GET”, theUrl, false ); // false for synchronous request xmlHttp.send( null ); return xmlHttp.responseText; } However, synchronous requests are discouraged and will generate a warning along the lines of: … Read more
Roy Fielding’s comment about including a body with a GET request. Yes. In other words, any HTTP request message is allowed to contain a message body, and thus must parse messages with that in mind. Server semantics for GET, however, are restricted such that a body, if any, has no semantic meaning to the request. … Read more