> If you rely on the HTTP method to authenticate users to mutate data, you are completely lost

I don't know where you are getting that from but it's the first time I've heard of it.

If your link is indexed by a bot, then that bot will "click" on your links using the HTTP GET method—that is a convention and, yes, a malicious bot would try to send POST and DELETE requests. For the latter, this is why you authenticate users but this is unrelated to the HTTP verb.

> Use cookies and auth params like HN does for the upvote link

If it uses GET, this is not standard and I would strongly advise against it except if it's your pet project and you're the only maintainer.

Follow conventions and make everyone's lives easier, ffs.