[OpenAjaxSecurity] Fw: GET vs HEAD vs OPTIONS
Emmanouil Batsis (Manos)
manos at abiss.gr
Fri Jan 4 03:10:44 PST 2008
Bertrand Le Roy wrote:
> Can they cite which servers don’t support HEAD? I’d argue that it
> shouldn’t even be a choice but always use HEAD if the purpose of the
> request is just to authorize or deny a request using another verb.
>
> GET will potentially result in a very large response, of which only the
> headers will be used. As for your objection about using a token, that
> token can be in headers, which will also be sent when using HEAD.
>
> This looks very wrong to me.
+1.
Manos
--
Manos Batsis, Chief Technologist
__ _
____ _/ /_ (_)_________ ____ ______
/ __ `/ __ \/ / ___/ ___// __ `/ ___/
/ /_/ / /_/ / (__ |__ )/ /_/ / /
\__,_/_.___/_/____/____(_)__, /_/
/____/
5, Daphnidos Street,
14122, Neo Iraklio,
Athens, Greece
Tel: +30 210 2851517
Mob: +30 694 8376942
http://dev.abiss.gr
"BSD code is free code to be used in software. GPL code is code to be
used in free software." Kjella (173770), Slashdot
More information about the security
mailing list