Skip to content

Spring Security documentation confuses "idempotent" with "read-only" in CSRF section #13644

New issue
New issue
Closed
Closed
Spring Security documentation confuses "idempotent" with "read-only" in CSRF section#13644
Assignees
jzheaux
Labels
in: docsAn issue in Documentation or samplestype: bugA general bug
Milestone
 
5.8.9
@matlion

Description

@matlion
matlion
opened on Aug 10, 2023

The documentation confuses idempotent with read-only:
https://docs.spring.io/spring-security/reference/features/exploits/csrf.html

Safe methods are expected to be readonly (not idempotent). This also the reference states:
"Request methods are considered "safe" if their defined semantics are
essentially read-only" https://datatracker.ietf.org/doc/html/rfc7231#section-4.2.1

An idempotent method can change things, but multiple same requests have the same outcome (e.g. set the user's address via PUT request).

Metadata

Metadata

Assignees

Labels

in: docsAn issue in Documentation or samplestype: bugA general bug

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions