Is either GET or POST more secure than the other?

Question

When comparing an HTTP GET to an HTTP POST, what are the differences from a security perspective? Is one of the choices inherently more secure than the other? If so, why?

Answer 1

It is harder to alter a POST request (it requires more effort than editing the query string). Edit: In other words, it's only security by obscurity, and barely that.

Answer 2

Recently an attack was published, that allows man in a middle to reveal request body of compressed HTTPS requests. Because request headers and URL are not compressed by HTTP, GET requests are better secured against this particular attack.

There are modes in which GET requests are also vulnerable, SPDY compresses request headers, TLS also provides an optional (rarely used) compression. In these scenarios the attack is easier to prevent (browser vendors already provided fixes). HTTP level compression is a more fundamental feature, it is unlikely that vendors will disable it.

It is just an example that shows a scenario in which GET is more secure than POST, but I don't think it would be a good idea to choose GET over POST from this attack reason. The attack is quite sophisticated and requires non-trivial prerequisites (Attacker needs to be able to control part of the request content). It is better to disable HTTP compression in scenarios where the attack would be harmful.

Answer 3

My usual methodology for choosing is something like:

• GET for items that will be retrieved later by URL
  • E.g. Search should be GET so you can do search.php?s=XXX later on
• POST for items that will be sent
  • This is relatively invisible comapred to GET and harder to send, but data can still be sent via cURL.

Answer 4

There is no added security.

Post data does not show up in the history and/or log files but if the data should be kept secure, you need SSL.
Otherwise, anybody sniffing the wire can read your data anyway.

Answer 5

The notion of security is meaningless unless you define what it is that you want to be secure against.

If you want to be secure against stored browser history, some types of logging, and people looking at your URLs, then POST is more secure.

If you want to be secure against somebody sniffing your network activity, then there's no difference.

Answer 6

You should also be aware that if your sites contains link to other external sites you dont control using GET will put that data in the refeerer header on the external sites when they press the links on your site. So transfering login data through GET methods is ALWAYS a big issue. Since that might expose login credentials for easy access by just checking the logs or looking in Google analytics (or similar).