When should I use GET or POST method? What's the difference between them?

Question

What\'s the difference when using GET or POST method? Which one is more secure? What are (dis)advantages of each of them?

(similar question

Answer 1

All or perhaps most of the answers in this question and in other questions on SO relating to GET and POST are misguided. They are technically correct and they explain the standards correctly, but in practice it's completely different. Let me explain:

GET is considered to be idempotent, but it doesn't have to be. You can pass parameters in a GET to a server script that makes permanent changes to data. Conversely, POST is considered not idempotent, but you can POST to a script that makes no changes to the server. So this is a false dichotomy and irrelevant in practice.

Further, it is a mistake to say that GET cannot harm anything if reloaded - of course it can if the script it calls and the parameters it passes are making a permanent change (like deleting data for examples). And so can POST!

Now, we know that POST is (by far) more secure because it doesn't expose the parameters being passed, and it is not cached. Plus you can pass more data and you GET a clean, non-confusing URL. And it does everything that GET can do. So it is simply better. At least in production.

So in practice, when should you use GET vs. POST? I use GET during development so I can see and tweak the parameters I am passing. I use it to quickly try different values (to test conditions for example) or even different parameters. I can do that without having to build a form and having to modify it if I need a different set of parameters. I simply edit the URL in my browser as needed.

Once development is done, or at least stable, I switch everything to POST.

If you can think of any technical reason that this is incorrect, I would be very happy to learn.