How to always use POST to request sensitive information from server

That's an interesting question. The HTTP request method is something that the client controls (ie. the browser). So in order to change GET requests to POSTs on the client side, you'd necessarily have to either rewrite the content of returned pages changing standard GET-style resources (anchors) into forms, or insert elaborate JavaScript to catch request events and rewrite them. Neither option is either easy or viable for most applications. You could also technically rewrite a GET request to a POST as it flows through the BIG-IP, but then you also have to consider whether the server can handle that POST request. A PHP server expecting a querystring with the $_GET() method isn't going to be looking for something in a POST variable. There are still a few options though,

1. Semantic coding practices - rewrite the important requests to POSTs in the application

    

2. Some application frameworks natively embed object calls in POST methods (ASP.Net is a good example)

    

3. Inserting client side JavaScript to catch request events, rewrite them as auto-posting form fields, and then have an iRule rewrite them as GETs on the other side

    

But ultimately I think your best bet for securing those applications from prying eyes is a smartly-placed layer of SSL/TLS.

Thanks Kevin,

Do you suggest we restrict TLS negotiation to a high value say v1.2 ?

Do you suggest we restrict TLS negotiation to a high value say v1.2 ?

Only if you want it available to a subset of customers that can handle TLS 1.2 - not all browsers in every OS can. From a security perspective, the data you would normally have in a GET query string would be in the POST's payload. It's still in the packet, albeit perhaps wouldn't get logged by the web server. I guess it depends on what you're trying to protect against, but you can either apply a high TLS version requirement and make the site inaccessible to some customers, or use a really good web app firewall.