Sending token through GET vs POST

Question

Looking for recommendations for security in sending token (e.g. JWT Token) through a GET vs POST request to the server.

There are two options:

1. Sending token through Headers as part of HTTP GET request
2. Sending token via request Headers/Body as part of HTTP POST request

Note: TLS is used for securing the connection.

Answer 1

Both options are basically the same, only the request looks a little different. There are some additional risks involved, when you send confidential data via GET though:

• The URL containing the confidential data is shown in the browser and a user might make the mistake of sharing the link (via simple copy/paste, sharing on social media, using an online bookmarking service, etc.).
• The confidential data is logged by a logging server after TLS-offloading. This can also happen with POST data, but many logging servers only log the URL per default.

If you have the choice, use POST instead of GET. It is also recommended in the OWASP Top 10 concerning Session Management, that you should never send session IDs in the URL. This can be said about security tokens as well, since they are used for a similar purpose.

Answer 2

The typical case is to send a JWT token via the Authorization header.

Sometimes, you may need to send the token via the request body when the token size is too big, as many servers side components put limits on the header length (check this question on SO). In this case, you must only use POST as in the case of GET requests the token may be disclosed in the browser's URL history or components that log URLs.

Therefore it is recommended to keep the JWT token size low because a lot of server side or proxies do not like.