web applications – Email Confirmation links must be GET, but not safe

Let’s have a look into the RFC-7231: 4.2.1. Safe Methods. Safe methods are allowed to do state changes, althoug it is highly not recommended. So this is not a violation of the Standard. It’s more a deviation from the convention to use GET-Requests for read only.

But having simply clickable links without active scripts in emails, is a higher goal and justifies this diviation from the norm.

4.2.1. Safe Methods

Request methods are considered “safe” if their defined semantics are
essentially read-only; i.e., the client does not request, and does
not expect, any state change on the origin server as a result of
applying a safe method to a target resource. Likewise, reasonable
use of a safe method is not expected to cause any harm, loss of
property, or unusual burden on the origin server.

This definition of safe methods does not prevent an implementation
from including behavior that is potentially harmful
, that is not
entirely read-only, or that causes side effects while invoking a safe
method. What is important, however, is that the client did not
request that additional behavior and cannot be held accountable for
it.