Is either GET or POST more secure than the other?

Question

When comparing an HTTP GET to an HTTP POST, what are the differences from a security perspective? Is one of the choices inherently more secure than the other? If so, why?

Answer 1

Recently an attack was published, that allows man in a middle to reveal request body of compressed HTTPS requests. Because request headers and URL are not compressed by HTTP, GET requests are better secured against this particular attack.

There are modes in which GET requests are also vulnerable, SPDY compresses request headers, TLS also provides an optional (rarely used) compression. In these scenarios the attack is easier to prevent (browser vendors already provided fixes). HTTP level compression is a more fundamental feature, it is unlikely that vendors will disable it.

It is just an example that shows a scenario in which GET is more secure than POST, but I don't think it would be a good idea to choose GET over POST from this attack reason. The attack is quite sophisticated and requires non-trivial prerequisites (Attacker needs to be able to control part of the request content). It is better to disable HTTP compression in scenarios where the attack would be harmful.