Spring Security Spring Security documentation confuses "idempotent" with "read-only" in CSRF section

The documentation confuses idempotent with read-only: https://docs.spring.io/spring-security/reference/features/exploits/csrf.html

Safe methods are expected to be readonly (not idempotent). This also the reference states: "Request methods are considered "safe" if their defined semantics are essentially read-only" https://datatracker.ietf.org/doc/html/rfc7231#section-4.2.1

An idempotent method can change things, but multiple same requests have the same outcome (e.g. set the user's address via PUT request).

Comment From: jzheaux

Good catch, @matlion. This is now updated in 5.8.x, 6.0.x, 6.1.x, and main.