Security implications of routing GET and POST requests to the same action

Question

In the Rails routing guide, it says:

Routing both GET and POST requests to a single action has security implications. In general, you should avoid routing all verbs to an action unless you have a good reason to.

What are the security implications of having the same controller action respond to both GET and POST?

Answer 1

Security aside, if a single action handles multiple methods now it's on your implementation of the controller's action to react accordingly. It's more obvious to use routing to direct to a specific action than doing "routing" based on HTTP method in the action. It's hopefully less error prone.

Out of "security" considerations:

• It's clearer to be in one frame of mind or the other when writing an action; a single purpose per action leads to methods with better focus.

• GETrequests are intended to have no side effects, as opposed to POST and other HTTP methods. Dogma aside, presenting something requested is very simple compared to validating user input, performing their action, reacting accordingly to success or failure. i.e. It's relatively complicated writing actions that do things with user data, don't complicate it by adding another concern.

• GET responses are typically considered cacheable, as opposed to most of the other responses. There could be something interesting to explore there security wise I suppose.

There might be some actual technical security concerns with parameters (e.g. :user_id) and CSRF attacks (one of the reasons rails uses a CSRF token for non-GET requests) but I think there are enough potential pitfalls involved in writing an app anyway that the note is valid; it's not worth complicating actions just to cut down on the number of actions you have.