MVC2 JSON action, if I want to be RESTful should I allow GET, POST, or Both?

The project I'm currently working has a whole bunch of JSON actions in order to populate cascading dropdowns via ajax calls. Since they're technically Select queries and we're trying to be RESTful, we've been marking these actions with the HttpGet attributes. However by default, JsonResultdoes not allow to return results via a GET. So we've had to explicitly call Json(data, JsonRequestBehavior.AllowGet).

What I'm wondering is, is this bad practice? Should we only be allowing Post requests to ou开发者_StackOverflowr Json actions? If it makes a difference, this is an enterprise application, that requires a log in to a particular environment before it can be accessed.

In my practice I'm using the next rule to decide which of HTTP methods is appropriate for a situation: if you only retrieve a data then use GET and if you're changing state of something then use POST.

From www.w3.org:

Use GET if:

• The interaction is more like a question (i.e., it is a safe
  operation such as a query, read operation, or lookup).

Use POST if:

• The interaction is more like an order, or
• The interaction changes the state of the resource in a way that the user would perceive (e.g., a subscription to a service), or
• The user be held accountable for the results of the interaction.

Other case when you need to use POST is when you have to send a lot of data to a server.

If length of your query strings less than 1000 than GET is for you.

As bniwredyc already pointed out, the general rule of thumb is to use GET only if the operation does not alter state / is repeatable etc., otherwise use POST. Thus, GET is probably appropriate in the scenario you are describing.

However, returning JSON in response to a GET request can in some cases allow someone to steal that data (Phil Haack has a nice example). So, you have to ask yourself: is the data returned and used to populate the dropdowns confidential? If so, you may want to go with a POST. If not you can safely use a GET.