I was having a discussion with another developer about the CSRF prevention tools in CodeIgniter 3, which apparently only work for POST requests. I looked at the OWASP page on CSRF and it seems to me that the danger in a CSRF attack is that an attacker might trick a user into clicking some link (or submitting a form) that causes the victim to access some website where they are authenticated, thereby performing an operation.
I've been under the impression for sometime that POST operations are for changing the state of the server whereas GET operations are for simply retrieving information from the server. As a rule of thumb, I try to make sure my code always uses POST when changing server state.
Assuming I always use POST to change server state, should I still be concerned about CSRF for GET requests? Perhaps we should be transmitting & validating CSRF tokens for all GET requests, too?
