In the recent pentest, it was pointed out as a low severity issue that the action api can suffer from "verb tampering"
Verb tampering ( https://web.archive.org/web/20170517030540/http://cdn2.hubspot.net/hub/315719/file-1344244110-pdf/download-files/Bypassing_VBAAC_with_HTTP_Verb_Tampering.pdf ) is when you restrict access to an endpoint via a WAF rule or other access control means, but only restrict a specific blacklist of http methods. The attacker evades the access control by using an HTTP method like `DELETE`, which our api would treat like a GET.
I don't really think this is in our threat model. But I think the fact that DELETE and PUT act like GET is potentially confusing to users. To that end, I would like to propose the action api responds with a 405 status code for any http method other than GET, HEAD, POST or OPTIONS