It’s well known that GET requests with ?xx=yy arguments embedded can be altered in transit, and therefore are insecure.
If I change the request to POST, and use HTTPS, then the parameters are in the body of the message, which is encrypted, and therefore difficult to hack, correct?
Two more cases concern me. Suppose GET style parameters were added to a POST request – would those parameters be reliably ignored?
What about some sort of security downgrade attack? If the URL manipulator forces HTTPS transactions to fail, and then the client/server "helpfully" downgrade to HTTP, which would allow the unencrypted POST body to be manipulated.