Right, so what this post is saying is that for the most part the evil is in using this default route, leaving open controller actions that should only be accessible as posts. Will have to look more into the docs, but it's good to know that the methods specified in the guide have some caveats.