GET vs POST in REST Web Service

Question

I\'m in the process of developing a REST service that allows a user to claim their listing based on a couple of pieces of information that appear on their invoice (invoice n

Answer 1

Independently of POST vs GET, I would recommend NOT basing your security as something as simple as a zip code and an invoice number. I would bet on the fact that invoice numbers are sequential (or close), and there aren't that many zip codes around - voila, I got full access to your listings.

If you're using another authentication method (typically in HTTP header), then you're good - it doesn't matter if you have an invoice number if the URL, so might as well use GET.

If you're not, then I guess POST isn't as bad as GET in term of exposing confidential content.