Joseph Doherty
7fc1955287
Browsers that navigate directly to /logout via the address bar issued a GET against a POST-only route and got 405 Method Not Allowed. Logout is self-destructive, so the GET path can skip antiforgery; the existing POST form (used by the layout's Sign out button) is unchanged and still antiforgery-protected. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>