Both POST and PUT can be used for create and update operations in different situations. So what is the difference between PUT and POST? In short: use PUT if and only if you know both the URL where the resource will live and the entire content of the resource. Otherwise, use POST.
POST is an incredibly common verb. Since it has neither security nor idempotence, and in the RFC it has a relatively poorly worded description, you can use it for almost anything. In fact, you can do all your POST request requests because POST makes very few promises; he can act like GET, PUT or DELETE if he wants. It can also perform some actions that no other verb can do - it can create a new resource at a URL different from the URL in the HTTP request; and it can modify part of the resource without changing all of this (although the proposed, but not widely accepted PATCH method can do something similar).
PUT is a much more restrictive verb. It takes the full resource and saves it at the given URL. If a resource existed before, it is replaced; if not, a new one is created. These properties support idempotency, which can be accomplished by a non-naive creation or update operation. I suspect this may be why a PUT is defined as it is; it is an idempotent operation that allows the client to send information to the server.
Literature:
- RFC 2616 - HTTP 1.1
- RFC 5789 - PATCH Method for HTTP
- Martin Fowler, Richardson's Maturity Model.