ASVS Requirement 3.5.3

• Level: 1
• Chapter: V3 Web Frontend Security
• Section: V3.5 Browser Origin Separation
• Source: 0x12-V3-Web-Frontend-Security.md

Description

Verify that HTTP requests to sensitive functionality use appropriate HTTP methods such as POST, PUT, PATCH, or DELETE, and not methods defined by the HTTP specification as "safe" such as HEAD, OPTIONS, or GET. Alternatively, strict validation of the Sec-Fetch-* request header fields can be used to ensure that the request did not originate from an inappropriate cross-origin call, a navigation request, or a resource load (such as an image source) where this is not expected.