I’m about to develop a new API for our website. Part of the design I’ve considered to use the POST and GET methods but after reading some security stuff I realise that GET is a bit less secure(i.e. allows hotlinking) than POST.
So my question is why people use GET in an API if is less secure? Is it just a legacy conception that “GET” should be used to read and POST to write (i.e. forms). The GET method still makes sense to me for an image URL or a website page which you can bookmark but does it make sense for an API? Using the same method (i.e. POST) would make the API more consistent too as you don’t need to worry about the method.
I should mention that I don’t want to argue against the HATEOS/RESTful thing because I’m planning a RPC api (i.e. like twitter, facebook etc).