Quiz Entry - updated: 2026.07.05
Which HTTP method does a login form use to send credentials to the server, and why not GET?
POST — the form's action/method sends the username and password in the request body, not in the URL.
A login <form method="POST" action="/auth"> submits credentials in the request body. GET would append them to the URL as query parameters (/auth?user=tino&pass=12345), which is bad because URLs are:
- written to browser history and server access logs
- visible in the address bar and sent in the
Refererheader - cached and bookmarked
POST bodies avoid all of that. (Note: on plain HTTP a POST body is still readable on the wire — only HTTPS actually encrypts it. POST vs GET is about where the data sits, not about encryption.)
Tip: You can always find which method a form uses by reading its HTML action and method attributes in the page source.
Go deeper:
MDN: HTTP POST method — POST carries form data in the request body, unlike GET's URL query string.
RFC 7617 — The 'Basic' HTTP Authentication Scheme — why even body/headers are useless without TLS.