Open danielmyasnikov opened 4 years ago
I can't think of a way to perform a CSRF attack with a PUT or DELETE request unless CORS settings are completely unrestricted. I agree that the first part of the sentence is not important. Freel free to submit a PR to improve that item.
How is Use HTTP verbs in a RESTful way a cross-site request forgery problem?
The second statement in there is correct: Do not use GET requests to alter the state of resources