Allow Get request but only in my domain?

Question

On my site i can trigger certain things using GET request like the ability to hide or delete a comment. I am not very worried but it would be pretty annoying if someone design a

Answer 1

I mostly agree with status203. Apart from what he has said about POST not really helping, a couple of comments:

1) GETs are safe only if the application is written correctly. I have seen applications where GETs are used even to make changes. Secondly on this topic, if you return JSON data as an array and your entry point is not protected against CSRF, on some browsers the attacker may be able to steal victim's data by enticing victim to website that has