My Little Corner of the Net

HTTP Post vs. HTTP Get

I am currently involved, for the second time in the past few months, in interviewing for a new web programmer/analyst to join my team at work. Given that we are a web applications shop, several of our technical questions revolve around web protocols.

I’ve now spoken with, between the two positions, around a dozen applicants. One question that I always ask is “what is the difference between an HTTP Post and an HTTP Get and why would you use one verses the other?”

I’ve spoken with people who have anywhere from a few years experience in web technologies all the way up to senior-level folks who have been doing “web stuff” longer than me. Everyone gets the first part of the question correct, at least to some degree. Everyone knows that parameters are sent to the server in the URL string with “get” and that they aren’t with “post” (some people have described how the values are sent in the body of the request with post and some have used phrases like “some other way” to describe the process). Most people also mention that “gets” are cachable and “posts” are not and a few have commented on the fact that “gets” are length-limited and can only contain character data whereas “posts” can contain other types of data (via MIME-encoding) and do not have size limitations.

Not one applicant, however has answered the second part of the question–the “why.” So, as a public service to anyone who may get asked this question in an interview some day (or anyone who wants to make himself a better web developer in the job he already does) I am providing the answer I am seeking:

Get is used to retrieve information from the server, post is used to modify data on the server.

That’s really all there is to it: if you are adding, deleting, or modifying data, you should be using “post.” If you are retrieving existing data and not doing anything destructive to it, then you should use “get.”

If you really want to impress me, you’ll go a little more in-depth:

  • “Post” should be used for any requests that should only be submitted once. Since the data isn’t cached, the request should, theoretically, never be sent twice. This is important to protect against duplicate submisions and overwritten changes.
  • “Get” should be used on search forms.When searching for something, I want my back button to work so I can return to a previous location easily when my search doesn’t pan out as I’d expect.
  • “Post” should be used on data-entry forms. When I’m entering a new order, student record, or blog post, I want to be sure I don’t accidently submit a duplicate when I hit the back button.

Also, whatever you do, please do not say that “post” is more secure than “get” if you want me to take you serious. Neither method does any sort of encryption or even obfuscation on the data, so neither provides any level of security. If you want to make sure an onlooker can’t access the data as it moves over the wire, use HTTPS. If you want to make sure the user of your site can’t access the data, don’t put it on your site.

Leave a Reply

You can use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

<