Of course there is security difference. This is not security against hackers who, as you said, can easily modify POST or GET, but there is security against unintended triggering of changes on the server. If the delete action is a GET request with an ID then this URL will be stored in browser’s history and possibly in some proxy servers, etc. Then it’s easy for the user to visit their history and unwittingly change or delete something simply by loading a URL or by going back/forward. This can sometimes happen after launching a web browser via session restore mechanisms. POST data is not saved in history therefore the user is safe against such unintended actions. This is one of the reasons why POST should be used for triggering actions that change data while GET should be used for actions that only fetch data.