Atm the login phase via frontend is done as a POST request.
Allow it as a GET means that users can save the vikunja app in the bookmark like:
https://my.vikunja.com/login?username=foo&password&foo
And it will be logged in without clic for a password stored in the browser or something else.
I don’t think that’s a good idea. These credentials will show up in server logs. A better idea is to either use a password manager or the “stay logged in” functionality.
I don’t understand at all…POST requests can be logged too (but that’s not the default):
The difference is while post request contents might get logged, the URL (contents of the get request) will always be logged.
More reasons: php - For Login GET or POST? - Stack Overflow