Quiz Entry - updated: 2026.07.14
What are the key differences between an HTTP GET and an HTTP POST request?
GET is for retrieving data and should not change server state; POST is for submitting data and may change state.
| GET | POST | |
|---|---|---|
| Parameters live in | URL query string (?id=123&x=y) |
Request body |
| Has a body? | No | Yes |
| Cached by browser/proxy | Yes | No |
| Bookmarkable / linkable | Yes | No |
| Logged in server access logs | Yes (full URL) | Body usually not logged |
| Should change server state? | No — should be safe & idempotent | Yes |
| Resent on back/refresh? | Silently | Browser warns ("resubmit form?") |
Security implications:
- Never put secrets in a GET — they end up in browser history, referer headers leaking to other sites, server logs, proxy caches. Login forms must use POST.
- GETs being cached means a
GET /transfer?to=mallory&amount=1000can be triggered by<img src="...">on another site (classic CSRF). State-changing actions belong in POST + CSRF token. - Other methods exist (PUT, DELETE, PATCH, HEAD, OPTIONS), mostly used by REST APIs.
Tip: The Rails/Django mantra "GETs are safe, POSTs are not" exists precisely because the framework can apply CSRF protection to one and not the other.