GET
and POST
are the only HTTP methods to use when dealing with forms.
Django’s login form is returned using the POST
method, in which the browser bundles up the form data, encodes it for transmission, sends it to the server, and then receives back its response.
GET
, by contrast, bundles the submitted data into a string, and uses this to compose a URL. The URL contains the address where the data must be sent, as well as the data keys and values. You can see this in action if you do a search in the Django documentation, which will produce a URL of the form https://docs.djangoproject.com/search/?q=forms&release=1
.
GET
and POST
are typically used for different purposes.
Any request that could be used to change the state of the system - for example, a request that makes changes in the database - should use POST
. GET
should be used only for requests that do not affect the state of the system.
GET
would also be unsuitable for a password form, because the password would appear in the URL, and thus, also in browser history and server logs, all in plain text. Neither would it be suitable for large quantities of data, or for binary data, such as an image. A Web application that uses GET
requests for admin forms is a security risk: it can be easy for an attacker to mimic a form’s request to gain access to sensitive parts of the system. POST
, coupled with other protections like Django’s CSRF protection offers more control over access.
On the other hand, GET
is suitable for things like a web search form, because the URLs that represent a GET
request can easily be bookmarked, shared, or resubmitted.