Should I use GET or POST when requesting sensitive data?

Question

Should I use GET or POST for retrieving sensitive data, given that:

• The response will contain sensitive data.
• There are side-eff

Answer 1

Using POST would only make sense as part of an application designed to prevent a user from repudiating receipt of the response. I don't know of any such schemes, and I wouldn't hazard to devise one off the top of my head.

The intent of the user's request isn't to create an audit log entry; the intent is to get the response. The accountability log is a side effect, but it's hidden from the user, so POST is not required.

In other words, you can't hold users accountable for getting the data, because you can't prove they received it. But knowing who requested the data might help an investigation, so recording it as a side effect is still useful.