Allowing only POST requests can help for one simple reason - it's harder for people to share the link without knowing what they're giving away.
Of course, using POST is not the only solution here (requiring the invitation to be by the signed-in user is way better), and it can represent a UX problem (refreshing causes the dreaded "form resubmit" warning).
But it's not a no-op. It does have effect in security in practice, even if it doesn't in theory.
Of course, using POST is not the only solution here (requiring the invitation to be by the signed-in user is way better), and it can represent a UX problem (refreshing causes the dreaded "form resubmit" warning).
But it's not a no-op. It does have effect in security in practice, even if it doesn't in theory.