Breaking change: Use a POST request to log out #1015
Description
Currently a GET request is used to log out, meaning a CSRF attack could logout the user. The request should be a POST with a CSRF token to prevent this.
This route is used in the built-in themes. While the themes can be updated, it's likely that users have used the built-in themes as a starting point for their own custom themes, so fixing this issue would be a breaking change.
Since the only thing such an attack would accomplish is to log out the user, this issue does not put users or data at risk, but it should be addressed at the next major version bump.