Should I use GET or POST when requesting sensitive data?
A step back
First of all, the RFC 2616 is obsolete. Hence, it shouldn't be used as a reference anymore.
Below you'll find the current references for the HTTP/1.1 protocol:
- RFC 7230: Message Syntax and Routing
- RFC 7231: Semantics and Content
- RFC 7232: Conditional Requests
- RFC 7233: Range Requests
- RFC 7234: Caching
- RFC 7235: Authentication
The safe property
Have a look at what the RFC 7231 says about safe methods:
4.2.1. Safe Methods
Request methods are considered "safe" if their defined semantics are essentially read-only; i.e., the client does not request, and does not expect, any state change on the origin server as a result of applying a safe method to a target resource. [...]
This definition of safe methods does not prevent an implementation from including behavior that is potentially harmful, that is not entirely read-only, or that causes side effects while invoking a safe method. What is important, however, is that the client did not request that additional behavior and cannot be held accountable for it. For example, most servers append request information to access log files at the completion of every response, regardless of the method, and that is considered safe even though the log storage might become full and crash the server. [...]
Of the request methods defined by this specification, the
GET
,HEAD
,OPTIONS
, andTRACE
methods are defined to be safe. [...]
In the context of HTTP methods, safe is not related to security and, in a similar way, safe is not about how you deal with sensitive data. Safe means read-only.
As stated above, the use of safe methods do not prevent you from performing operations that are not read-only, such as logging the request to a file. However, this operations should be transparent for the client.
Which method should you use?
It depends on the operation you are performing. In REST APIs, the POST
method is frequently used to create resources while the GET
method is frequently used to request a representation of a resource.
And how about security and sensitive data?
If you want to ensure security when sending sensitive data over the wire, use HTTPS and don't expose sensitive data (such as passwords) in the URL.
In addition to Cássio Mazzochi Molin's excellent answer, you should use HTTPS but you should (generally) use:
- GET for retrieving sensitive data.
- POST for sending sensitive data.
The reason to use GET when retrieving is that the action does not have side-effects, therefore there is no reason to use POST. The only previously applicable reason to use POST was when retrieving JSON via AJAX, because old browsers had bugs meaning that another domain that the user had open in their browser could steal the data from the JSON using a <script>
tag (JSON Hijacking). Disallowing GET prevented this attack because <script src="...">
always uses the GET method. See this answer. Note that using POST here means you should disable GET server-side for this method.
The reason to use POST for sending sensitive data is that it prevents data leakage via the query string (although another way would be to use GET with custom headers set, although POST makes much more sense). The reason is that query string data in the URL is logged by proxy servers, by server logs as default, and can also be stored in browser history, making it not a great place to transmit personal or otherwise sensitive details. Note that during transit over HTTPS they would be encrypted, it is just that they can leak from the encrypted state into other non-encrypted or non-controlled locations. Of course, going back to RFC 7231, if you're making changes based on this sent sensitive data, POST is the better idea as it'll prevent the browser accidentally sending it again in most cases.
One more reason to use POST is that modern browsers don't appear to cache the results of POST requests by default. However, this should not be relied upon. It is much better to set Cache-control: no-store
header in your response either way, any time that sensitive data is output.