-submits a form. In this configuration all your application's forms
-and AJAX requests should use C<POST>.
-
-This is because the alternative (for complicated reasons relating to
-the web security architecture) is to require your application to make
-a special and different check when the incoming request is going to do
-some kind of action (such as modifying the user's setup, purchasing
-goods, or whatever) rather than just display HTML pages.
-
-To support external links, and C<GET> requests, pass C<<
-promise_check_mutate => 1 >> in I<settings>, and then call C<<
-$authreq->check_mutate() >> before taking any actions. If the
+submits a form which loads your app's main page. In this
+configuration all your application's forms and AJAX requests should
+use C<POST>. This restriction arises from complicated deficiencies
+in the web's security architecture.
+
+The alternative is for your application to always make a special check
+when the incoming request is going to do some kind of action (such as
+modifying the user's setup, purchasing goods, or whatever) rather than
+just display HTML pages. Then non-mutating pages can be linked to
+from other, untrustworthy, websites.
+
+To support external links, and C<GET> requests, pass
+C<< promise_check_mutate => 1 >> in I<settings>, and then call
+C<< $authreq->check_mutate() >> before taking any actions. If the