官方原文：

18.5.3 Logging Out

Adding CSRF will update the LogoutFilter to only use HTTP POST. This ensures that log out requires a CSRF token and that a malicious user cannot forcibly log out your users.

譯:新增CSRF將更新LogoutFilter以僅使用HTTP POST。這樣可以確保log out 請求需要CSRF令牌並且惡意使用者無法偽造你的log out 請求。

One approach is to use a form for log out. If you really want a link, you can use JavaScript to have the link perform a POST (i.e. maybe on a hidden form). For browsers with JavaScript that is disabled, you can optionally have the link take the user to a log out confirmation page that will perform the POST.

一種方法是使用表單登出。 如果你真的想要一個連結，你可以使用JavaScript讓連結執行POST（也許在一個隱藏的表單）。對於禁用JavaScript的瀏覽器，您可以選擇包含使用者到登入確認頁面的連結，這將執行POST。

If you really want to use HTTP GET with logout you can do so, but remember this is generally not recommended. For example, the following Java Configuration will perform logout with the URL /logout is requested with any HTTP method:

如果你真的想使用HTTP GET與登出，你可以這樣做，但記住這是一般不推薦。 例如，以下Java配置將執行登出，使用任何HTTP方法請求URL /登出：

@EnableWebSecurity
public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {

	@Override
	protected void configure(HttpSecurity http) throws Exception {
		http
			.logout()
				.logoutRequestMatcher(new AntPathRequestMatcher("/logout"
 
));
	}
}