CSRF token, for data retrieving request

Question

I want to add CSRF protection to my web service. and I learned I should add a token to the request. Problem is adding tokens to GET requests are very disclosive.

HTTP protocol says GET requests should be used only for retrieving. But, this doesn't mean data retrieved by GET must be safe to be seen by an attacker. I want to retrieve user specific data by GET and I don't want them to be leaked.

So, my question is which request method I should use for this purpose.

Answer 1

It sounds like you are confusing different issues here.

First, GET methods are not more 'disclosive' in the way you seem to mean here. You are correct that GET should only be used for retrieving information, and never changing it. But that's not related to the transport security of your GET request.

If your connection is not secure and someone is 'listening' in the middle, the CSRF token is probably the very least of your problems. At any rate; transport security and Cross-Site Request Forgery aren't really related.

So, if you are worried about snooping on the connections, secure it with SSL/TLS. If not... just use the token.