Delete links should require POST
I sent deletion links to a friend via Slack. When Slack tried to preview the contents of those links, it sent GET requests for them. Jirafeau responded by deleting the files.
The server really should only modify file status in response to a
POST request. When someone visits a delete link with a
GET request, that should ask the user to confirm that they want to delete the file, with a form submit button that re-issues the request with the right method.