It depends on what you want to support. I've done similar as I was working on platforms that didn't actually support POST/PUT/DELETE. However you then have to contend with misbehaving caching too.

Seriously? Look at the HTTP protocol and tell me you really believe that.

Their way:

DELETE /something HTTP/1.1

My way:

GET /delete/something HTTP/1.1

Do you really think one is more secure than the other?

Yes because browser implementations do not allow casual DELETE requests. There is a reason the standard says not to use GET for destructive changes.

So let's not a call it a security issue then. Let's call it an "it's too easy to delete" issue. And if that's the case, then that's what we're going for— easy. Remember, if you were truly protecting something that was secure then you would require a security token parameter— which BTW is something we're planning in the next rev, for people who want to protect their machines.

If I was phishing to get you to click on a link to delete a resource, then I would need to know that token, and if I knew that token, then I could just delete it myself. Note that the HAPI spec discourages the use of cookies (which I agree could allow a phishing attack if you were using cookies as a security mechanism).

It also limits the request size to something like 4K.