- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2024 01:26 AM
We have implemented a scripted REST API of type GET. we are currently receiving the parameters required as part of the resource path (pat parameters). for example the resource path that we use is something like '/api/product_integration/products/{emp_id}/{ticket_id}'. Then we retrieve the employee id and ticket ID from the path parameters. Now there is requirement from Security team to move the parameters from the resource path to request body. This would need some development effort at both server and client side. I would like to understand, is there any security challenges with path parameters even with the end point being HTTPS and also the ServiceNow Table APIs seems to use similar format. Also performance wise which option is better, path params or request body. We have a significant number of API calls for this integration may be up to 10000 per day.
Looking forward to your suggestions and inputs.
Solved! Go to Solution.
- Labels:
-
Architect

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-06-2024 09:17 AM - edited 07-06-2024 09:18 AM
Hi @Vasudhevan2 ,
Security challenges with path parameters - even with HTTPS the data can be exposed in logs, referrer headers, and browser history which can be a security constraint.
The performance difference both the approaches will be minimal. I would recommend to focus more on the type of data and security requirements.
For sensitive data, we should use request body parameters with POST requests and ensure the use of HTTPS to protect data while sending.
We should also follow the HTTP standards and best practices to ensure secure and robust API design.
If my response has resolved your query, please consider giving it a thumbs up and marking it as the correct answer!
Thanks & Regards,
Sanjay Kumar

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2024 02:47 AM
From a design perspective, my advice would be to think outside of SN and the tools that could interact with this API. Based on RFC 7231, GET shouldn't have a body. Although SN supports it, some tools that will interact with SN may not - which will cause poor interoperability
If you want to move to using the body to pass in information that'll be used to constrain a query, you'd be better off creating a POST endpoint
An easier ready than the IETF document is https://www.baeldung.com/cs/http-get-with-body

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-06-2024 09:17 AM - edited 07-06-2024 09:18 AM
Hi @Vasudhevan2 ,
Security challenges with path parameters - even with HTTPS the data can be exposed in logs, referrer headers, and browser history which can be a security constraint.
The performance difference both the approaches will be minimal. I would recommend to focus more on the type of data and security requirements.
For sensitive data, we should use request body parameters with POST requests and ensure the use of HTTPS to protect data while sending.
We should also follow the HTTP standards and best practices to ensure secure and robust API design.
If my response has resolved your query, please consider giving it a thumbs up and marking it as the correct answer!
Thanks & Regards,
Sanjay Kumar

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-06-2024 10:54 AM
Hi @Vasudhevan2 ,
Get method is only use in retriving the information from the destination source, we can not send any body parameters in GET method for that we can use POST method.
https://swagger.io/resources/articles/best-practices-in-api-design/
Hence, moving parameters from the path to the request body can enhance security by reducing exposure in logs and caches. However, it requires careful consideration of your application's architecture, API design, and potential impact on existing clients and infrastructure. Work closely with your security team and development team to implement this change effectively, ensuring that security concerns related to path parameters are adequately addressed in the context of your specific application and environment.
Please mark my answer correct and helpful if this works for you
Thanks and Regards
Sarthak