GitHub Issue Flags Critical CSRF Risk: GET Requests Must Not Mutate State

A security warning filed on GitHub highlights a critical vulnerability risk for web applications using `SameSite=Lax` session cookies. The core principle is stark: any endpoint that allows a GET request to change server state opens a direct path for Cross-Site Request Forgery (CSRF) attacks. Without CSRF tokens as a defense, a simple user visit to a malicious site could trigger unauthorized state-changing actions, such as transferring funds or altering data, via a forged GET request.

The issue, reported by Adrian Self, draws a direct analogy to smart contract security, stating that GET requests should function like 'view' functions—only retrieving data, never modifying it. The warning specifically points to endpoints like a hypothetical `GET /inventory/transfer` as a catastrophic example. While the reporter notes that the `/inventory/transfer` endpoint does not currently accept GET requests, and this pattern appears absent except for `/logout`, the alert underscores that this is no longer just a matter of RESTful style but a concrete security requirement.

This creates immediate pressure on development teams to audit all API endpoints, especially in frameworks like Express.js where `router.get()` could be misapplied. The absence of CSRF tokens in the application's architecture elevates this coding practice from a convention to a mandatory safeguard. Failure to enforce this separation could lead to exploitable vulnerabilities where attackers hijack user sessions to execute unauthorized commands, putting user assets and application integrity at direct risk.