Comment by thayne
3 months ago
A GET request to `/users/delete?id=354` is dangerous. In particular, it is more vulnerable to a CSRF attack, since a form on another domain can just make a request to that endpoint, using the user's cookies.
It's possible to protect against this using various techniques, but they all add some complexity.
Also, the former is more semantically correct in terms of HTTP and REST.
An important consideration is also that browsers may prefetch GET requests.