It depends what it's intended to be used by and how it's misused.
GET requests shouldn't make changes. But I've been somewhere this was done internally by an API gateway and it was fine, and made it easy to test by pasting URLs into the browser address bar. I objected to this, but it didn't end up causing any problems.
However if there's a possibility these misused GET requests will be cached or spidered (in other words, if it's a public API, for some value of public), then it will probably lead to things breaking. I've heard a horror story of things getting deleted by web crawlers.
If a POST request is treated as "posting a command to an endpoint" I don't think it would cause problems as long as it's well-documented what the expected behavior is, even if that command is the equivalent of "give me information" or "delete something".
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
It depends what it's intended to be used by and how it's misused.
GET requests shouldn't make changes. But I've been somewhere this was done internally by an API gateway and it was fine, and made it easy to test by pasting URLs into the browser address bar. I objected to this, but it didn't end up causing any problems.
However if there's a possibility these misused GET requests will be cached or spidered (in other words, if it's a public API, for some value of public), then it will probably lead to things breaking. I've heard a horror story of things getting deleted by web crawlers.
If a POST request is treated as "posting a command to an endpoint" I don't think it would cause problems as long as it's well-documented what the expected behavior is, even if that command is the equivalent of "give me information" or "delete something".