Is a REST method that returns dynamically generated random data every time it is accessed safe?
According to RFC 2616 (emphasis mine):
In particular, the convention has been established that the GET and HEAD the methods SHOULD NOT have the meaning of performing an action other than recovery. These methods must be considered "safe". This allows user agents to represent other methods, such as POST, PUT and DELETE, in a special way, so that the user has knowledge of the fact that a possibly unsafe action is being requested.
Naturally, it is not possible to guarantee that the server does not generate side effects as a result of making a GET request; in fact, Some dynamic resources consider a feature. The important distinction here is that the user did not request the side effects, therefore, can not be held responsible for them.
My understanding of this is that the method must be considered safe since the only action is recovery. The state of the server does not change with several calls (although the result may be different) since any generated side effects would be the same (like the record that the endpoint was accessed).
I am not sure if this is the case, since you are not accessing a real resource since the data is generated dynamically. It could also be misinterpreting the concepts of secure methods, idempotency and how these concepts relate to the REST APIs. Any info is greatly appreciated!