Stephan van Hulst wrote:... if the payload contains sensitive information, you want it protected by TLS. That is not possible with a GET request.
I'm not so sure about that. I'm fairly certain that an https GET is encrypted from the, er "get"-go. Actually targeting the server is a bit harder to protect, since you cannot route to a (possibly-resolved) IP address without the destination IP in the TCP packet, but the first thing that happens when you send a request to open a listening server port is that encryption is negotiated even before the URL itself (and its GET info) is transmitted.
However, GET was never intended to send large amounts of data, and originally GETs were limited to a fairly small length, often 1024 characters or less. POST was specifically designed for the purpose of larger payloads. POST is theoretically unlimited in payload size, although servers typically have a cutoff point in order to discourage DOS attacks and the like. Systems that receive large images, ZIP files, videos and the like may allow payload sizes in the megabyte range.
The original intent of GET wasn to request (GET) data from the server, perhaps aided by a few identifying/qualifyin parametes. The original intent of POST was to literally post data to the server. However, we have re-purposed these verbs to allow for things like AJAX, ReST, and the like and in some cases adopted conventions to allow a consistent verb usage across heterogeneous transfers within a given framework. We could have added new HTTP verbs for things like long data-in/long data-out and such, but instead we simply futz around.
So long and short of it, yes, I'd POST.