How should I choose between GET and POST methods in HTML forms?

Question

I wish to know all the pros and cons about using these two methods. In particular the implications on web security.

Thanks.

Answer 1

To choose between them I use this simple rule:

GET for reads. (reading data and displaying it)

POST for anything that writes (i.e updating a database table, deleting an entry, etc.)

The other consideration is that GET is subjected to the maximum URI length and of course can't handle file uploads.

This page has a good summary.

Answer 2

Both GET and POST have their place. You should not rely on any of them for security.

GET requests

• are easily cachable
• are easily bookmarkable
• are subject to URI length limitation
• may show parameters in access logs

POST requests

• allows file uploading
• allows large data
• does not show parameters in browser address bar

Do you want the result of the form submission to be bookmarkable (think Google search)? Use GET.

Would you like the result of the form submission to be cachable? Use GET.

Are your requests not idempotent (safely repeatable)? Use POST and then always redirect to a page that is suitable to get via HTTP GET.

Do you need file uploads? Use POST.

Answer 3

GET should not have side-effects: http://www.w3.org/DesignIssues/Axioms.html#state

POST forms should be used when a submission has side effects.

Neither method has any real implication on security, use SSL if you're concerned about security.

Answer 4

In addition to the fine answers from e.g. Micke, I want to point out an important difference in how browser interfaces handle pages requested with GET vs. POST.

If you reload a GET-requested page, the browser will just fetch the URL again (from the server or from cache), However if you reload a POST, the browser will show a slightly confusing warning popup about reposting data, which the user may then cancel (leading to an even more confusing "expired" page). Same thing if you use back or history to return to a page which is the result of a POST.

This is of course based on the different semantics: GET-requests are supposed to be idempotent - i.e, you can do it several times without changing anything. POSTs on the other hand are for actions with side effects, like signing up for something, bying something, posting a comment on forum. Typically the user dont expect to repeat this action when reloading, so the warning is sensible. However, avoid to use POST if the action is safely repeatable (like a search), since the warning is not necessary and would just be a confusing to the user.

A point regarding security: If you have a password field in a GET-form the password will get masked for prying eyes when you type it in, however, it will be plainly visible in the address bar when you hit submit! But apart from that, there is no real security in either GET and POST, so use SSL if that is a concern.

Answer 5

Take a look at RFC 2616: Section 9 "HTTP/1.1 Method definitions"

Answer 6

GET passes data in the URL, POST passes the same data in the HTTP content, both are exactly the same from a security standpoint (that is, completely insecure unless you do something about it yourself, like using HTTPS).

GET is limited by the maximum URL length supported by the browser and web server, so it can only be used in short forms.

From an HTTP standard viewpoint GET requests should not change the site and browsers/ spiders are much more likely to make GET requests on their own (without the user actually clicking something) then POST requests.

Answer 7

If you are passing things like passwords or other sensitive information, always use POST and make sure you are using SSL so that data doesn't travel between the client and server in clear-text.

Security-wise, the downside of using GET is that all the submitted data will be in the URL, and therefore stored locally on the client in the browser history.

Answer 8

GET and POST method in HTTP are two most popular methods used to transfer data from client to server using HTTP(Hyper Text Transfer Protocol) protocol. Both GET and POST can be used to send request and receive response but there are significant difference between them.

What is GET HTTP Request? HTTP protocol supports several request method you can use while sending request using HTTP or HTTPS protocol. GET is one of them. As the name suggest GET method is to retrieve a page from HTTP Server. One important property of GET request is that any request parameter or query parameter is passed as URL encoded string, appended using "?" character which makes it non secure because whatever information you pass in URL String is visible to everybody.

When to use HTTP GET request As I said GET method is not secure and hence not a suitable choice for transferring confidential data but GET method is extremely useful for retrieving static content from web server. here are some examples where a using GET method make sense: There is no side effect of repeated request. for example clicking a link which points to another page. it doesn't matter if you click the link twice or thrice , This also gives chance browser of server to catch the response for faster retrieval. You are not passing any sensitive and confidential information. instead you just passing some configuration data or session id. You want URL pointed by HTTP GET request to be bookmark-able. Data requires to be sent to Server is not large and can safely accommodated in maximum length of URL supported by all browser. In general different browser has different character limit for URL length but having it under limit is good choice.

What is POST HTTP method POST HTTP request is denoted by method: POST in HTTP request. In POST method data is not sent as part of URL string to server instead in POST, data is sent as part of message body. Almost all authentication request is sent via POST method in HTTP world. POST method is secure because data is not visible in URL String and can be safely encrypted using HTTPS for further security. All sensitive and confidential information sent to be server must go on POST request and via HTTPS (HTTP with SSL). POST method is also used for submitting information to server, any information which can alter state of application like adding item into shopping cart, making payments etc. here are some examples where you should consider using POST method in HTTP request: Use POST if you are sending large data which can not be fit into URL in case of GET. Use POST method if you are passing sensitive and confidential information to server e.g. user_id, password, account number etc. Use POST method if you are submitting data which can alter state of application e.g. adding items into cart for passing that cart for payment processing. Use POST if you are writing secure application and don't want to show query parameters in URL.

Difference between GET and POST method in HTTP Protocol Most of the difference between GET and POST has been already discussed in there respective section. It all depends upon requirement when you want to choose GET and POST and knowledge of these differences help you to make that decision.

GET method passes request parameter in URL String while POST method passes request parameter in request body. GET request can only pass limited amount of data while POST method can pass large amount of data to server. GET request can be bookmarked and cached unlike POST requests. GET is mostly used for view purpose (e.g. SQL SELECT) while POST is mainly use for update purpose (e.g. SQL INSERT or UPDATE).

Referenced from here

Answer 9

Use GET if you want the result to be bookmarkable.

Answer 10

GET might be easier to debug because you can monitor all sent values in the address bar without any additional tools, But there is a limitation on the maximum length so with a few variables you may exceed this.

POST isn't much more secure these days 'cause with free tools like Fiddler & co. You can grip the values very easily. But there is no real limitation of the length or amount of values you can submit this way and your URLs are looking more user-friendly.

So my all-time suggestion would be to use POST instead of GET.

Answer 11

David M's answer get's my vote.

I just wanted to add one item that I heard about, maybe it was an urban legend??

Someone had a site with links that were only for internal use to delete files on their website. All was well until a webspider ( I think it was google ) somehow found these links and merrily followed each one causing all the files on his site to be deleted. The links used GET and should have used POST as spiders don't follow POST links.

Answer 12

The Google search engine is an example of a GET form, because you should be able to search twice in a row and not affect the results by doing this. It also has the nice effect that you can link to a search results page, because it is a normal GET request, like any other address.

As said previously, use POST for deleting or updating data, but I'd like to add that you should immediately redirect your user to a GET page.

http://en.wikipedia.org/wiki/Post/Redirect/Get

Answer 13

It depends on the type of data and size of data you want to transfer. With GET you can pass a maximum of 255 characters to the action page. With POST method, you dont have such limitations. POST gives more privacy to the data as it is not displayed anywhere. Anything you send using the GET method is displayed in the address bar of the broser.

Many of the search sites normally uses the GET method as this gives you the facility to bookmark your search queries. Hope this helps.

Answer 14

One security issue in GET that a is often overlooked is that the web server log contains the fully URL of every page access. For GET requests, this includes all the query parameters. This is saved to the server log in plain text even if you access the site securely.

The server logs are often used by site statistics apps, so it's not just the server admin who might see it.

The same caveat applies with third party tracking software, such as google analytics - they record the full URL of the page, again including the GET query parameters and reports it to the analytics user.

Therefore, if you are submitting sensitive data (passwords, card numbers, etc etc), even if it's via AJAX and never appears in the browser's actual URL bar, you should always use POST.

Answer 15

One gotcha I noticed the other day and it was a real "DUH!" moment for me.

We have a third party search engine on our site and they use the GET method to post the search query to their code. In addition, I had some code that looked for possible SQL injection attacks in the querystring. My code was screwing everything up because it was looking for words like "EXEC", "UPDATE", "DELETE", etc. Well, turns out the user was looking for "EXECUTIVE MBA" and my code found "EXEC" in "EXECUTIVE" and banned their IP.

Believe me, I'm not bragging about my code, just saying that choosing between GET and POST has semi-far reaching implications other than "do I want my passwords showing up in the querystring".

Answer 16

Generally best to use POST because it's a bit better hidden for snooping, better handling of spaces/encoding in the fields with some browsers, and especially because of limitations in the overall length of GET fields.

Answer 17

Both set of values is easily monitored by hackers or other stuff, but GET is less secure in the way that its very visible what the values are (right in the addressbar).

Use SSL for security if that is needed.

A good advice: Always use POST for forms, use querystrings (?value=products), when you are not posting things, but are trying to GET a specific page, like a product page. Hence the names POST and GET :)