req.params property
We can call a DELETE request by using the req.params.id
by gathering URL parameters for pointing to a record by its id for example to a backend route /users/delete/id/:id
req.query property
We can call a DELETE request by using req.query.id
for extracting a JSON object and send it to a backend route /users/delete?id=2
to the controller/model for a record to be deleted like
{"id": "2"}
Question
What is the safest way for sending data to DELETE requests in terms of security issues that a user may take advantage of directly or indirectly considering we already have a safe login system?
CodePudding user response:
If you were using GET or POST then the URL and body (if it wasn't JSON) might be vulnerable to CSRF attacks, but you can't trigger a DELETE request with cross-origin code (unless explicitly granted permission with a perflight CORS request).
You aren't, so it doesn't make any difference (at least from a security perspective).