Is GET or POST more secure? Like many things in computers, it depends!
Who are you trying to secure data against?
- The user in his/her browser
- People who legitimately see the URL
The user in his/her browser
This is the case that is usually discussed. Some people will naively say they want to “secure” the data by using POST. That way the user “can’t change the submitted data.” Of course, this hooey. Anything on the user’s machine is something the user can see/change.
People who legitimately see the URL
Many people have access to the URL such as in logs. Having sensitive information in the URLs is a bad idea. This actually happened recently at JavaRanch. A user started a thread inquiring about a thread that linked to his but he couldn’t see the protected page. At JavaRanch, as on many blogs, URLs look like “http://www.coderanch.com/t/493907/Ranch-Office/Could-anyone-enlighten-me-please”. Luckily we had taken a precaution and used a shorter form of the URL for our private forum. Otherwise information could leak out!
Similarly, social security numbers and other sensitive information should not be in a GET form submission because the information is then out of your control. If at all possible, they should be kept on the server and never sent to the user’s machine in the first place.
Hackers are a harder case because the hacking can be in multiple places. For truly secure information, you have to use HTTPS. For “medium” information, POST is still better than GET because URLs are easier to intercept than whole pages.
As a rule of thumb, POST is going to always be more secure than GET because it removes the “data in the URL” issue. For some things, neither is secure enough.