RFC 7231, sezione 4.2.1 è pertinente
Request methods are considered "safe" if their defined semantics are essentially read-only; i.e., the client does not request, and does not expect, any state change on the origin server as a result of applying a safe method to a target resource. Likewise, reasonable use of a safe method is not expected to cause any harm, loss of property, or unusual burden on the origin server.
This definition of safe methods does not prevent an implementation from including behavior that is potentially harmful, that is not entirely read-only, or that causes side effects while invoking a safe method. What is important, however, is that the client did not request that additional behavior and cannot be held accountable for it....
The purpose of distinguishing between safe and unsafe methods is to allow automated retrieval processes (spiders) and cache performance optimization (pre-fetching) to work without fear of causing harm. In addition, it allows a user agent to apply appropriate constraints on the automated use of unsafe methods when processing potentially untrusted content.
GET
è vincolato semanticamente per essere sicuro, POST
non lo è.
Un'idea chiave per capire REST è l'interfaccia uniforme; componenti generici (come un browser Web) sono autorizzati ad agire in modo intelligente sulle informazioni presentate a loro. Usare metodi sicuri per innescare effetti collaterali interessanti è una cattiva idea perché i componenti intermedi assumeranno che quegli effetti collaterali, se presenti, non sono significativi (registrazione e così via).