I've been working on the login flow for a simple web program. In the process, I learned about two things:
1. Forms cannot submit DELETE or PUT requests.
2. How Cross-Site Request Forgery works - https://owasp.org/www-community/attacks/csrf
Synthesizing these two pieces of knowledge, would it not be true that making your whole API use DELETE and PUT would obviate the need for CSRF tokens? The same-origin policy would prevent anyone but the page itself from making DELETE and PUT requests via JS, which is the only way to use those two methods.
To be clear, I think this is an entirely stupid idea, but it's intriguing nonetheless.
Forms cannot **yet** submit DELETE or PUT requests. It would be much safer to just use an arbitrary verb, like `e880ccc6-d32f-4eaa-b850-2e513eb7b97b-ing`.
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!