Should I use GET or POST when requesting sensitive data?

Question

Should I use GET or POST for retrieving sensitive data, given that:

• The response will contain sensitive data.
• There are side-eff

Answer 1

If the data is highly sensitive, consider using a POST. It's easy to issue a GET request without much thought - for instance if someone is looking at log file while logged in to the application with appropriate permissions and they click a link, they would generate a get request.

You can instead ask the client to construct a document you could call a 'sensitive data access request'. Potentially you could require a field with the reason for looking at this data. The server could receive this request and send the sensitive data in response.

Depending on the type of client application the users have access to, it might be much easier to demonstrate intentionality if a user sends a POST request than if they send a GET request.