[OpenAjaxSecurity] Fw: GET vs HEAD vs OPTIONS

Emmanouil Batsis (Manos) manos at abiss.gr
Fri Jan 4 03:10:44 PST 2008


Bertrand Le Roy wrote:
> Can they cite which servers don’t support HEAD? I’d argue that it 
> shouldn’t even be a choice but always use HEAD if the purpose of the 
> request is just to authorize or deny a request using another verb.
> 
> GET will potentially result in a very large response, of which only the 
> headers will be used. As for your objection about using a token, that 
> token can be in headers, which will also be sent when using HEAD.
> 
> This looks very wrong to me.


+1.

Manos

-- 
Manos Batsis, Chief Technologist
          __    _
   ____ _/ /_  (_)_________ ____ ______
  / __ `/ __ \/ / ___/ ___// __ `/ ___/
/ /_/ / /_/ / (__  |__  )/ /_/ / /
\__,_/_.___/_/____/____(_)__, /_/
                         /____/

5, Daphnidos Street,
14122, Neo Iraklio,
Athens, Greece

Tel: +30 210 2851517
Mob: +30 694 8376942

http://dev.abiss.gr

"BSD code is free code to be used in software. GPL code is code to be 
used in free software." Kjella (173770), Slashdot


More information about the security mailing list