GET
GET is a request for information.
- Can be (transparently) resent by browsers.
- May be cached, bookmarked, kept in history.
POST
POST is an update providing information.
- Gives impression that input is hidden.
- Browser may treat differently.
Neither provide confidentiality without HTTPS !
- Plain text, can be sniffed.
In practice, GET often changes state somewhere.
- User searches for something, gets recorded.
- User has navigates somewhere, gets recorded.
When to use POST instead of GET
For sensitive data, always use POST
- Helps with confidentiality but not enough alone. For large data, use POST
- URLs should be short (e.g., 2000 chars)
- Longer URLs cause problems in some software. For actions with major side effects, use POST.