GET vs POST, which is more secure?

POST is more secure than GET for a couple of reasons.

GET parameters are passed via URL. This means that parameters are stored in server logs, and browser history. When using GET, it makes it very easy to alter the data being submitted the the server as well, as it is right there in the address bar to play with.

The problem when comparing security between the two is that POST may deter the casual user, but will do nothing to stop someone with malicious intent. It is very easy to fake POST requests, and shouldn't be trusted outright.

The biggest security issue with GET is not malicious intent of the end-user, but by a third party sending a link to the end-user. I cannot email you a link that will force a POST request, but I most certainly can send you a link with a malicious GET request. I.E:

Click Here for the best free movies!

Edit:

I just wanted to mention that you should probably use POST for most of your data. You would only want to use GET for parameters that should be shared with others, i.e: /viewprofile.php?id=1234, /googlemaps.php?lat=xxxxxxx&lon=xxxxxxx


POST just puts the information in a different place (request message body) than GET (url). Some people feel like the latter exposes more information, which is true for some points (read down in the edit). From a point where an attacker would like to intercept your traffic, POST would be equally hard/easy for an attacker as for a GET.

If you want security so your request aren't exposed when it leaves end and start points, use SSL (https).

EDIT

A valid point of Gumbo and Ladadada, logging of GET requests can happen more frequently than POST requests. For instance in the history of a browser (if you share that browser with someone else).

So this means you shouldn't be putting sensitive data in a GET request as a GET request might be exposed to people who are screenwatching.