目錄
GET
GET用於撈資料。通常來說它不帶body
query string會顯示在URL上,也因此可被存到書籤、瀏覽歷史
GET is the primary mechanism of information retrieval and the focus of almost all performance optimizations.
// 網址中可以看到encode過的query string "$filter=ScenicSpotName ne null and $top=8 and $skip=8 and $format=JSON"
const res = await fetch(
`https://ptx.transportdata.tw/MOTC/v2/Tourism/ScenicSpot?%24filter=ScenicSpotName%20ne%20null&%24top=8&%24skip=8&%24format=JSON`,
{
method: 'GET',
headers: {
Authorization:'...',
'X-Date':'...'
},
},
);
但其實GET也能帶body,雖然並不推薦
Sending body/payload in a GET request may cause some existing implementations to reject the request — while not prohibited by the specification, the semantics are undefined. It is better to just avoid sending payloads in GET requests.
另外常看到有人說使用GET方法限制data長度為2048個字元,但其實HTTP並沒有限制,限制是源於瀏覽器的URI長度限制,或server的處理能力
The HTTP protocol does not place any a priori limit on the length of a URI. Servers MUST be able to handle the URI of any resource they serve, and SHOULD be able to handle URIs of unbounded length if they provide GET-based forms that could generate such URIs. A server SHOULD return 414 (Request-URI Too Long) status if a URI is longer than the server can handle (see section 10.4.15).
詳細的解釋可以看What is the maximum length of a URL?
POST
POST用於新增、更新資料。會帶body
// query的條件放在body裡
const res = await fetch(`
https://reqbin.com/echo/post/json`,
{
method: 'POST',
headers: {
Authorization:'...',
'Content-Type':'application/json'
},
body: {
Id: 78912,
Customer: 'Jason Sweet',
Quantity: 1,
Price: 18.00
}
}
)
POST範例取自How do I send an HTTP POST request?
比GET安全,但並不代表資料不會被劫持,所以還是需要SSL加密
HTTP POST is not encrypted, it can be intercepted by a network sniffer, by a proxy or leaked in the logs of the server with a customised logging level.
POST is better than GET because POST data is not usualy logged by a proxy or server, but it is not secure.
you must use SSL or encrypt the data before you POST.
另外也會聽到POST無data長度限制,HTTP確實沒有限制,但瀏覽器限制,所以實際上最大值為min(serverMaximumSize, clientMaximumSize)
The maximum POST request body size is configured on the HTTP server and typically ranges from 1MB to 2GB
The HTTP client (browser or other user agent) can have its own limitations. Therefore, the maximum POST body request size is min(serverMaximumSize, clientMaximumSize).
比較
| GET | POST | |
|---|---|---|
| url | 帶有query string | 不帶query string |
| 安全度 | 差 | 比GET好,但仍需加上SSL加密 |
| data types | 只有字串(ASCII) | 都可,甚至可以巢狀結構 |
| data length | 實務上會受限於瀏覽器、server | 實務上會受限於瀏覽器、server限 |
| 存成書籤 | 〇 | ✖ |
| 瀏覽器歷史 | 〇 | ✖ |
| 快取 | 〇 | △ Responses to POST requests are only cacheable when they include explicit freshness information. However, POST caching is not widely implemented. |
| 其他 | 不用encode,故效能比POST好 | helps you to determine resource URI. |
參考資料
GET Vs. POST: Key Difference Between HTTP Methods
Is either GET or POST more secure than the other?
How secure is a HTTP POST?
What is the maximum length of a URL?
Can HTTP POST be limitless?
RFC7231 - GET
RFC7231 - POST
RFC2068 - Hypertext Transfer Protocol -- HTTP/1.1
