Web Application Security Guide/Prefetching and Spiders
Appearance
GET requests are not supposed/expected to trigger actions/changes and are happily followed by various browser mechanisms like Prefetching or Session Restore and by crawlers. This can cause unwanted actions to be triggered completely without user interaction and without the need for an attack.
To prevent this
- Use POST requests instead of GETs for anything that triggers an action
Rationale
GET requests can be automatically and unintentionally triggered, for example by crawlers. For example in cases of “delete” buttons, this can cause a single user with aggressive Prefetching to accidentally delete everything just by opening a listing page. POST requests are expected to trigger actions and are handled accordingly by browsers.