According to this NSA guideline: http://www.nsa.gov/ia/_files/support/guidelines_implementation_rest.pdf (page 14):
The "protections described above" mention the check for a custom http header, as we are currently doing for CSRF attack prevention. We should keep this in place for most verbs, but there is no need to do so for GET requests (as they are always read-only and the response isn't available to a CSRF attacker). Having this restriction on GET is a hassle for legitimate clients which might wish to do a direct read on an endpoint (particularly browsers using something other than XHR). This will become especially relevant we when start serving non-JSON content from our endpoints (ref: CREST-108). This will be an easy change - a simple update to our default router-authz.js file.