LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What are the key differences between an HTTP GET and an HTTP POST request?

GET is for retrieving data and should not change server state; POST is for submitting data and may change state.

GET POST
Parameters live in URL query string (?id=123&x=y) Request body
Has a body? No Yes
Cached by browser/proxy Yes No
Bookmarkable / linkable Yes No
Logged in server access logs Yes (full URL) Body usually not logged
Should change server state? No — should be safe & idempotent Yes
Resent on back/refresh? Silently Browser warns ("resubmit form?")

Security implications:

  • Never put secrets in a GET — they end up in browser history, referer headers leaking to other sites, server logs, proxy caches. Login forms must use POST.
  • GETs being cached means a GET /transfer?to=mallory&amount=1000 can be triggered by <img src="..."> on another site (classic CSRF). State-changing actions belong in POST + CSRF token.
  • Other methods exist (PUT, DELETE, PATCH, HEAD, OPTIONS), mostly used by REST APIs.

Tip: The Rails/Django mantra "GETs are safe, POSTs are not" exists precisely because the framework can apply CSRF protection to one and not the other.

From Quiz: ISF / Web Application Security Basics | Updated: Jul 14, 2026