CREST Practitioner Security Analyst (CPSA) Practice 2026 - Free CPSA Practice Questions and Study Guide

The HTTP method that is considered risky is PUT. This method allows a client to upload files to the server or update existing resources at a specified URI. Because of its ability to modify server-side data, using PUT can expose the server to various types of vulnerabilities, including unauthorized data modification, server-side resource exhaustion, and potentially overwriting critical files.

In the context of web application security, allowing PUT requests without proper authentication and authorization controls can lead to significant issues. For instance, an attacker could exploit this method to upload malicious scripts or replace existing application files with harmful versions, thereby compromising the integrity and availability of the application.

On the contrary, methods such as GET, HEAD, and OPTIONS are generally considered safer. GET retrieves data and does not change the server's state; HEAD is similar to GET but does not return the body of the response, and OPTIONS is used to describe the communication options for the target resource without making any changes. Therefore, PUT stands out as the more risky option among the listed HTTP methods due to its potential for enabling data modification.