Search form via query string parameter (GET) - privacy concerns

Question

As far as I know:

(1) Query string parameters are encrypted via HTTPS.

(2) Query string parameters are usually not transferred as referrer because of the default referrer policy of most browsers or specific referrer policies for websites.

but:

(3) Query string parameters are usually part of the server logs.

(4) Query string parameters are visible within browser history.

My questions are (since search terms can be very sensitive data, too):

Why is it common practice that search forms on web pages work with GET? Wouldn't POST instead of GET eliminate privacy concerns from (3) and (4)?

Thank you!

Answer 1

1. Yes
2. Yes, though make sure you control this via your Referer-policy header. If you set no-cache headers, this data will not be stored on proxies either, though that's less significant since it would usually be encrypted anyway.
3. Yes, but you're also handling and processing those same search terms anyway, so there is no additional exposure here. You can of course address this using a logging process that anonymises, or otherwise drops all log detail after analysis and aggregation, and document that process in your privacy policy.
4. Yes that's true, but it's also under the control of the user who is able to delete that any time they like, or via automated settings (e.g. delete after 30 days).

In HTTP vocabulary, POST is used for creating resources, whereas GET is explicitly for retrieving them, including searching. Browsers usually store POST contents too (e.g. try refreshing a POSTed page and it will offer to repost the data), but as a user you have less visibility and direct control over this – the browser could keep POST history exactly as it does for GET requests. So the only difference between them in privacy terms is how visible it is on the client side – it makes no difference on the server.