Is data sent via HTTP POST hidden or more secure than data sent via GET?
Short answer
No. POST simply carries parameters in the request body instead of the URL; that body is plaintext and fully visible to anyone who can see the traffic unless HTTPS is used. POST is preferable for state-changing actions and keeps params out of URLs, logs, and browser history, but it provides no confidentiality on its own. The misconception confuses 'not in the URL' with 'encrypted' — only TLS encrypts either method's data in transit.
A surprising number of developers believe POST "hides" data. It doesn't encrypt anything. Understanding why is a clean test of whether someone grasps the difference between transport and encryption.
Why the popular answer is wrong
A POST request looks like this on the wire: request line, headers, a blank line, then the body containing your parameters — as readable text. A GET request puts those parameters in the URL's query string instead. In both cases, if the connection is plain HTTP, anyone who can observe the traffic — a network sniffer, a malicious Wi-Fi hotspot, a transparent proxy — reads the values directly. POST changes where the data sits, not whether it is encrypted. The claim that POST is "encrypted" or that its parameters are "secret from proxies" because they aren't logged is simply false; a proxy terminating or inspecting the connection sees the full body.
What POST actually buys you
POST has real, legitimate advantages, just not confidentiality. Because parameters aren't in the URL, they don't end up in browser history, server access logs, bookmarks, or the Referer header sent to third parties — all places a GET query string can leak. POST is also the correct method for state-changing actions (it isn't expected to be safe or idempotent) and avoids URL-length limits. Those are good reasons to use it, but they are about hygiene and semantics, not cryptography.
The real fix: TLS
The only thing that makes either request confidential is HTTPS / TLS, which encrypts the entire request — method, headers, URL, and body — between the browser and the server. Over TLS, both GET and POST bodies are protected from on-path eavesdroppers. Even then, prefer POST for secrets, because a URL placed in a GET request can still surface in logs and history after decryption. The interview-ready summary: POST moves data out of the URL; TLS makes it secret. Conflating the two is the gotcha.
Likely follow-ups
- What actually encrypts the POST body in transit, and at what layer?
- Why is sending a password in a GET query string still a bad idea even over HTTPS?
- Where might GET parameters leak that POST parameters usually won't?