AJAX POST与GET

I'm wondering if it really makes any difference if I use GET or POST in my AJAX calls.

I'm using AJAX to delete an item with a specified ID. Somehow, POST seemed like it was a more fitting choice. But with Razor Pages, an AJAX POST requires several steps to work around cross site request forgery measures.

Does it make any difference if I just GET or POST here? Or are there any anti patterns I'm hitting if I don't?

There are many perspectives from which to answer your question "Does it make any difference if I just GET or POST here?" In short, YES it makes a difference.

GET and POST are both susceptible to CSRF attacks. By using a GET you are creating a wider attack surface. For example an IMG tag in an email could run your DELETE api on an unsuspecting user. Using a POST makes it less trivial. You'd be better off using post without supporting anti-forgery than by using GET. Ideally, you're using POST with anti-forgery tokens.

Other considerations can include:

• How the cache handles this request
• Adherence to REST principles (assuming you intend to have a "REST"ful/like design)
• It's usually assumed that a get doesn't directly manipulate server side state
• In theory a URL identifies the location of a resource, if you delete that resource with a get, what happens next time you call the get?
• A get won't be protected by CORS because it's assumed to not modify state, the browser will execute the GET and just not return the response to the offending site. With a POST the browser will run a CORS preflight check using the OPTIONS verb to make sure the request is allowed by the CORS policy returned by your server prior to your server receiving a request with the verb POST.