A safe method is an HTTP method defined as read-only — it must not change server state.
GET, HEAD, and OPTIONS are safe; the contract is that calling them any number of times produces no side effects.
Safe and idempotent are different. Every safe method is idempotent, but not vice versa: DELETE is idempotent yet changes state, so it is not safe. In set terms, safe ⊂ idempotent.
Safety is a contract that crawlers, prefetchers, and proxies rely on. Search bots can freely follow GET links and browsers can prefetch them precisely because GET is assumed safe. That's why turning a state-changing action into a GET link (`/delete?id=42`) is dangerous — a bot merely scraping the link could delete data, and it's vulnerable to CSRF. State-changing actions must be designed with non-safe methods like POST, PUT, or DELETE.