pillarjs/understanding-csrf

Improper use of "idempotent"

marfire opened this issue · 2 comments

One of your headings reads GET is always idempotent. Although that is certainly good practice in general, it doesn't have anything to do with CSRF. A GET request that deleted data would be idempotent, but still a major CSRF vulnerability.

I suggest GET should not have side effects, or something like that.

Here's the reference I was looking for: http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html.

What matters here is safety, not idempotence.

Correct, there are two types of methods: impotent and safe. The CSRF docs should reference safe, rather than impotent.