> The difference in security between GET and POST is about the same as level ground vs. a finger nail sized piece of tissue paper on that same level ground, since it would have only stopped someone so incompetent to not have been a threat anyway.
POST is used to take actions, such as POSTing a message on Slashdot, logging in, logging out, deleting something, etc. That data isn't visible to other sites you visit. It's not part of the REFERER, or document.location, etc. Assuming either SSL or no MITM by someone with access to your network, POST data is private. Additionally, POST explicitly means it has some effect, so it should not be repeated, cached, etc. If you confuse the two, doing something (such as creating a Slashdot post) based upon a GET request, you my well end up doing the action multiple times when it should have been done only once, or not doing it at all when it should have been, because the request was answered by a cache. It's not okay to add four hard drives to my shopping cart when I click "Add to cart" once, so not knowing and respecting the difference is a significant security issue.