Semantics of GET and POST Considered Harmful

[Mark Baker]

> If I am a packet sniffer, and I see GET /myGoat?food=grass&task=process 
> coming into shirky.com, the GET helps me not one whit in determining
> what is being done with that data by the server, because as you say
> "People are free to try to do POST over GET, and GET over POST."

You're completely right for the case of the theoretical, untrusted packet
sniffer.

But consider a firewall installed at shirky.com.  This is a packet sniffer
that you, as owner of shirky.com, have trusted to secure your site.  And
let's say you want to secure your site by letting in GETs, but not POSTs
As soon as you install any piece of software on your site that has
side-effects as a result of GET, then you're the only one to blame when
somebody finds a way to discover a race condition around that side-effect
(for example).

It is to your advantage to have GET mean "get" and not "post".

MB