HTTP Methods

HTTP methods, also known as HTTP verbs, indicate the desired action to be performed on a resource. Each method has specific semantics and security implications that are important to understand.

Common HTTP Methods

GET

The GET method requests a representation of the specified resource. Requests using GET should only retrieve data and should have no other effect.

GET /api/users HTTP/1.1 Host: example.com

Key characteristics:

  • Data is sent in the URL as query parameters
  • Requests can be cached
  • Requests remain in browser history
  • Can be bookmarked
  • Should never be used for sensitive data
  • Has length restrictions

POST

The POST method submits data to the specified resource, often causing a change in state or side effects on the server.

POST /api/users HTTP/1.1 Host: example.com Content-Type: application/json{"name": "John Doe", "email": "john@example.com"}

Key characteristics:

  • Data is sent in the request body
  • Requests are never cached
  • Requests do not remain in browser history
  • Cannot be bookmarked
  • No restrictions on data length

PUT

The PUT method replaces all current representations of the target resource with the request payload.

PUT /api/users/123 HTTP/1.1 Host: example.com Content-Type: application/json{"name": "John Doe", "email": "john@example.com"}

DELETE

The DELETE method deletes the specified resource.

DELETE /api/users/123 HTTP/1.1 Host: example.com

PATCH

The PATCH method applies partial modifications to a resource.

PATCH /api/users/123 HTTP/1.1 Host: example.com Content-Type: application/json{"email": "newemail@example.com"}

Other Methods

Less commonly used HTTP methods include:

  • HEAD: Similar to GET but returns only headers, no body
  • OPTIONS: Returns the HTTP methods supported by the server
  • CONNECT: Establishes a tunnel to the server
  • TRACE: Performs a message loop-back test

Security Considerations

Method-Based Access Control

Different HTTP methods should have different access control rules. For example, GET operations might be allowed for all users, while POST, PUT, and DELETE operations might require authentication and authorization.

Security Warning:

Never rely solely on HTTP method restrictions for security. Always implement proper authentication and authorization on the server side.

Method Spoofing

Attackers can use tools to send any HTTP method to your endpoints, regardless of what your client-side code allows. Always validate and sanitize all incoming requests on the server.

CSRF Protection

Cross-Site Request Forgery (CSRF) attacks can be mitigated by using anti-CSRF tokens for state-changing operations (POST, PUT, DELETE).

Related Topics