Get requests to REST APIs are not protected against XSRF, this opens a side-channel to attackers able to read the network traffic.