Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

APIs

Maria Caruso
Maria Caruso
2,858 Points

Post vs Get

In this video the teacher explains that GET requests are used to get records, while POST requests add new records. At my job our development team often talks about POST requests as being a secure version of a GET request. Is this true? Are POST requests used elsewhere outside of APIs, or for sending secure data (not just creating data)...Or am I understanding this incorrectly?

3 Answers

Steven Parker
Steven Parker
231,275 Points

:mailbox_with_mail: Hi, Maria, I also got your request for an answer.

I agree with most of the information Jennifer has already given you regarding the most common uses for GET and POST. But if we disregard conventions, the purpose that the data is used for is not important to the delivery mechanism, so either could be used as a request or to add information.

So the main differences are:

  • Security — POST data is not contained in the transport headers or displayed by the browser. And it it encrypted when the HTTPS protocol is being used. Furthermore:
    • GET requests can be cached
    • GET requests remain in the browser history
    • GET requests can be bookmarked
  • Data Volume — GET data could have a size limit imposed by servers or proxies.
  • Tamper Reduction — URI's (GET requests) area easily entered into the browser address bar, but POST data requires additional steps or tools.
  • Content Restrictions — URI's are intended to be readable, so GET requests would not be a good choice for carrying binary data as it must be encoded.
Maria Caruso
Maria Caruso
2,858 Points

Thanks! And as a general comment, you're answer is the kind of thing I wish I could "pocket": save for review later in Treehouse. That would be a really nice option to add to the communities, especially since since community is used by many of us as reference material :)

Steven Parker
Steven Parker
231,275 Points

I often bookmark forum pages in my browser. Would that be similar to what you are suggesting?

Maria Caruso
Maria Caruso
2,858 Points

Somewhat. I just think it would be nice to have the feature be internal to treehouse. Some place where students could take notes within treehouse, link to forum answers, tag content, etc. But yes, I'm definitely bookmarking your answer for now!

Steven Parker
Steven Parker
231,275 Points

And you can submit suggestions to Support.

Jennifer Nordell
seal-mask
STAFF
.a{fill-rule:evenodd;}techdegree
Jennifer Nordell
Treehouse Teacher

Hi there! I received your request for assistance. And let's hope I've got this right. To be clear, I'm not an InfoSec expert.

A GET request is sent via URL. This means that the parameters provided in the request are plainly visible right in your browser bar. A POST request, by contrast, sends its information in the body of the request. This can be encrypted over HTTPS and is not immediately visible.

A GET request can be seen by anyone currently watching your screen

As I understand it, any and all sensitive information should be sent via POST, if possible.

Hope this helps! (and someone let me know if I've gotten this all wrong) :sparkles:

Maria Caruso
Maria Caruso
2,858 Points

Hi, yes! This is what I've heard, but the video seems to draw a distinction between GET and POST: where GET is only used to request information, and post is only used to add information. Based on what you've said, this isn't totally correct since you can use POST to securely request information...right?

Jennifer Nordell
seal-mask
.a{fill-rule:evenodd;}techdegree
Jennifer Nordell
Treehouse Teacher

Maria Caruso I believe that to be correct. That being said, this particular course is marked as "Beginner" level and that topic would be way beyond the scope of this course. Also, while you may use POST to request information, I feel fairly certain that you may not use GET to add information.

But there are places where GET does make sense. For example when I submit to the TTH server a request to pull up a video on JavaScript, there's nothing sensitive about that request. And I don't recall anything in this particular course where we're handling sensitive data.

But likely as not, what we want here is the real answer from the guru. So I'm going to tag Andrew Chalkley :sparkles:

Andrew Chalkley
STAFF
Andrew Chalkley
Treehouse Guest Teacher

POST is only secure if it's over HTTPS :) GET is also secure over HTTPS too.

The only "security" issue POST has over GET is that the browser history doesn't have a query string with POST requests. If someone has your browser history, I think you have bigger security issues!

Maria Caruso
Maria Caruso
2,858 Points

Jennifer Nordell Steven Parker Andrew Chalkley Thank you all so much for these responses! They were all very helpful.