HTTP Request Types
All requests are sent using an “HTTP method”. The method designates the type of request being made to the web server. The most common types of request methods are GET and POST. The other methods defined in RFC 9110 § 9.3 are HEAD, PUT, DELETE, CONNECT, OPTIONS, and TRACE, plus PATCH (RFC 5789). HTTP servers and non-browser API clients widely support all of these — PUT, DELETE, and PATCH are routinely used by REST APIs. From inside a browser the picture is more restricted: HTML <form> elements only support GET and POST, and scripts using the Fetch or XMLHttpRequest APIs are forbidden by the Fetch Standard from issuing CONNECT, TRACE, or TRACK. TRACE is also commonly disabled on servers for security reasons (it can echo headers back to the requester and was abused by historical Cross-Site Tracing attacks).
GET requests
- Sent when URL is submitted in the browser location bar or a user clicks a link
- Send data in the URL and query string
- Reloadable
- Can bookmark
- Used for read-only operations
- View, search, sort, or filter data
- Data does not change
POST requests
- Sent when web form is submitted
- Send data in the request body (encoded per the
Content-Typeheader — typicallyapplication/x-www-form-urlencodedormultipart/form-data) - Semi-reloadable (prompt to send data again)
- Can not bookmark
- Used for write operations
- Create, update, or delete data
- Data does change
Requests should match their purpose. Reject or ignore unexpected request methods. If code is not expecting to receive form data then it should allow GET requests but should reject POST requests. If code is expecting to receive form data then it should allow POST data but should reject GET requests.