Categories
CyberSecurity Web-based Security

GET vs. POST: Which One is More Secure?

Both GET and POST are the most commonly use HTTP methods. Which one should you use, and which is more secure?

How the GET Method Works?

GET is used to request data from a specified resource.

The query string (name/value pairs) is sent in the URL of a GET request.

Example:
/get_form.php?variable1=value1&variable2=value2

Summary of GET requests:

  • GET requests can be cached
  • GET requests remain in the browser history
  • GET requests can be bookmarked
  • GET requests should never be used when dealing with sensitive data
  • GET requests have length restrictions
  • GET requests are only used to request data (not modify)

Never use GET for posting actual forms unless maybe you need to save the query results in the bookmark.

We have one internal Search Engine Application for Engineering Documents developed back in early 2000 that we used GET extensively in the search results. Now, our Document Controller and some savvy engineers become familiar with the URL string. They found that by directly modifying it – they can display specific results without going to the search page. When I tried to upgrade that web-app and use the POST Method – they complained, and they want the old functionality as they already used those URLs in many documentations to link to the results.

How the POST Method Works?

POST is used to send data to a server to create/update a resource.

The data sent to the server with POST is stored in the request body of the HTTP request.

Example:
POST /post_form.php HTTP/1.1
Host: strdoc.com
variable1=value1&variable2=value2

Summary of POST requests:

  • POST requests are never cached
  • POST requests do not remain in the browser history
  • POST requests cannot be bookmarked
  • POST requests have no restrictions on data length
  • POST doesn’t expose information on the URL.
  • Over HTTPS, POST data is encoded.

Which One is More Secure?

Technically, both are not secure unless you use SSL/TLS.
Both GET and POST are inherently the same – they pass information from the client and the server, although POST don’t expose information via the URL.

If you can avoid placing sensitive data in the POST or GET, it is a better solution.
Try to use server-side code to handle confidential information instead.
If you are looking to protect yourself against somebody sniffing your network activity, there’s nothing much difference between the two.

If you are only concern against stored browser history, Proxy Logs, Proxy Cache, and people looking at your URLs, then use POST.

Also, when you refresh your browser or reopen the GET URL, the server request or query will happen again without giving you any warning.
Imagine that URL is a form to submit a payment, you will be charged again without any warning.
In contrast, if you use POST, the browser will give you a warning.

Recommendations

If your website is processing sensitive information, and you have no choice but to select between using GET or POST, I recommend using POST over SSL/TLS.

If you can also use a Web Application Firewall that can handle XSS, SQL injection, CSRF, etc. it will add to your layer of defense as if you use HTTPS alone without other protections, you can still be attacked via CSRF.