When comparing an HTTP GET to an HTTP POST, what are the differences from a security perspective? Is one of the choices inherently more secure than the other? If so, why?
Even if POST
gives no real security benefit versus GET
, for login forms or any other form with relatively sensitive information, make sure you are using POST
as:
POST
ed will not be saved in the user's history.GET
, it will be visible in the history and the URL bar).Also, GET
has a theorical limit of data. POST
doesn't.
For real sensitive info, make sure to use SSL
(HTTPS
)