TIL why potentially destructive actions on a user-facing API should NOT use HTTP GET

1 minute read Published:

Imagine a commentbox, where each comment has to be approved by the moderator in his backend.

If the backend used GET requests for the comment moderation, the url to moderate a post should look something like this: http://yourdomain.com/moderate/:decision/:postid

For example:

  • http://yourdomain.com/moderate/allow/1
  • http://yourdomain.com/moderate/deny/2

If some evil person posted a comment and knew their postid (lets say 12) they could try to email you a link to http://yourdomain.com/moderate/allow/12 with a caption that says Cute cat gifs, you would click on it and BOOM the comment would be published…

How about links that would delete valuable content? Issue a financial transaction over 2000€ to somebody else?