HTTP Methods

GET, POST, PUT, DELETE and other HTTP request methods and their usage.

What Are HTTP Methods? The Verbs of the Web

The Hypertext Transfer Protocol (HTTP) is a structured language that web browsers (clients) and web servers use to communicate. At the core of this language are . You can think of them as the action verbs of a request. They tell the server what the client wants to do with a specific resource, whether that resource is a webpage, an image, a video, or a piece of data from a database.

When a browser sends a request to a server, the very first piece of information in that request is the method. It sets the context for the entire communication. For example, asking the server to simply provide a webpage is a fundamentally different action from asking it to store a user's new profile picture. Using different methods for different actions allows servers to understand the client's intent immediately and process the request efficiently and securely. This system of methods is a cornerstone of the modern web and is particularly crucial in the design of RESTful APIs, which are the backbone of most web services today. In this guide, we will explore the most common methods, their specific purposes, and their defining characteristics.

Primary Methods: The Workhorses of the Web

While numerous HTTP methods exist, a small handful are responsible for the vast majority of interactions on the internet. Understanding these primary methods is essential for grasping how the web functions.

GET

The $GET$ method is used to request a representation of a specified resource. It is the most common method used on the web. Every time you type a URL into your browser, click a hyperlink, or when a webpage loads its images and stylesheets, $GET$ requests are being made. The sole purpose of a $GET$ request is to retrieve data from the server.

Properties of GET

Safe: $GET$ requests are considered . This means they should not have any side effects on the server. Making a $GET$ request should not change any data, create any new data, or trigger any significant actions. A search engine can crawl the web and make billions of $GET$ requests without worrying about accidentally modifying the websites it is indexing.
Idempotent: $GET$ requests are . Making the same $GET$ request once or multiple times should have the same effect. Requesting the homepage of a news site five times in a row will result in you receiving the same homepage each time (barring dynamic content updates), and the server's state will not be altered differently by each request.
Data in URL: Any data sent with a $GET$ request must be encoded in the URL itself, typically in the query string (e.g., /search?query=http). This makes the data visible in server logs, browser history, and network monitoring tools, making $GET$ unsuitable for sensitive information like passwords. It also imposes a practical limit on the amount of data that can be sent, as URLs have length restrictions.
Cacheable: Because $GET$ requests are safe and idempotent, their responses can be cached by browsers, proxy servers, and CDNs (Content Delivery Networks). This improves performance by allowing subsequent requests for the same resource to be served from a local cache instead of going all the way back to the origin server.

Example Scenario

A browser requests a user's profile page.

-- Request --
GET /users/profile/123 HTTP/1.1
Host: api.example.com
Accept: application/json

-- Response --
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 104

{
  "userId": 123,
  "username": "AlexSmith",
  "email": "[email protected]"
}

POST

The $POST$ method is used to submit an entity to the specified resource, often causing a change in state or side effects on the server. It is most commonly used for creating a new resource that is subordinate to another resource. For example, submitting a comment on a blog post creates a new comment resource under that specific post.

Properties of POST

Not Safe: A $POST$ request is not safe because its primary purpose is to create or modify data on the server. Submitting a new user registration form will alter the server's database.
Not Idempotent: $POST$ is not idempotent. Sending the exact same $POST$ request multiple times will result in multiple new resources being created. If you accidentally click the "Submit Order" button twice, you will likely create two separate orders. This is why browsers warn you before re-submitting form data.
Data in Body: The data submitted in a $POST$ request is carried in the message body. This keeps it out of the URL, making it more secure for sensitive information. It also allows for sending large amounts of data, such as file uploads.
Not Cacheable: Generally, responses to $POST$ requests are not cacheable unless the response includes explicit caching headers (e.g., Cache-Control or Expires).

Example Scenario

A user signs up for a new account.

-- Request --
POST /users HTTP/1.1
Host: api.example.com
Content-Type: application/json
Content-Length: 56

{
  "username": "JaneDoe",
  "password": "supersecret"
}

-- Response --
HTTP/1.1 201 Created
Location: /users/456

{
  "userId": 456,
  "message": "User created successfully"
}

PUT

The $PUT$ method is used to replace the entire representation of a target resource with the request payload. If the target resource does not exist, the server may create it. The key difference from $POST$ is that $PUT$ is directed at a specific, known URL, whereas $POST$ sends data to a URL that processes it (e.g., /users) and the server decides the URL of the new resource.

Properties of PUT

Not Safe: Like $POST$ , $PUT$ modifies state on the server.
Idempotent: This is the defining characteristic of $PUT$ . Sending the same $PUT$ request multiple times will have the exact same result as sending it once. If you send a request to update a user's name to "Jane Smith", the first request changes it. The second, third, and fourth requests will simply set the name to "Jane Smith" again, resulting in the same final state on the server.
Data in Body: The payload, which represents the complete updated resource, is sent in the body of the message.

Example Scenario

Updating a user's email address.

-- Request --
PUT /users/123 HTTP/1.1
Host: api.example.com
Content-Type: application/json

{
  "username": "AlexSmith",
  "email": "[email protected]"
}

-- Response --
HTTP/1.1 200 OK

{
  "userId": 123,
  "username": "AlexSmith",
  "email": "[email protected]"
}

DELETE

The $DELETE$ method is used to delete the specified resource from the server. It is a straightforward but powerful operation.

Properties of DELETE

Not Safe: Clearly not safe, as it permanently removes data from the server.
Idempotent: $DELETE$ is idempotent. The first request to delete /users/123 will delete the user. A second request to delete the same resource will result in the same state: the user with ID 123 does not exist. The server might respond with a $204 No Content$ the first time and a $404 Not Found$ the second time, but the end state of the resource itself is identical (it's gone).

Example Scenario

Deleting a user account.

-- Request --
DELETE /users/123 HTTP/1.1
Host: api.example.com

-- Response --
HTTP/1.1 204 No Content

HEAD

The $HEAD$ method asks for a response identical to a $GET$ request, but without the response body. This is extremely useful for checking a resource's metadata, such as its Content-Type, Content-Length, or Last-Modified headers, without having to download the entire file.

Properties of HEAD

Safe: Yes, it does not alter server state.
Idempotent: Yes, for the same reasons as $GET$ .

Example Scenario

Checking the size of a large file before deciding to download it.

-- Request --
HEAD /downloads/large-file.zip HTTP/1.1
Host: storage.example.com

-- Response --
HTTP/1.1 200 OK
Content-Type: application/zip
Content-Length: 104857600
Last-Modified: Fri, 15 Jun 2025 10:00:00 GMT

Secondary Methods: The Specialized Tools

Beyond the primary methods, HTTP defines several others with more specialized purposes, often used in API development or for network diagnostics.

OPTIONS: The $OPTIONS$ method is used to describe the communication options for the target resource. A client can use $OPTIONS$ to find out which HTTP methods a server supports for a specific URL. It is a critical part of the (Cross-Origin Resource Sharing) mechanism. Before a browser sends a complex cross-origin request (like a $PUT$ or $DELETE$ to a different domain), it first sends an $OPTIONS$ request (a "pre-flight" request) to ask the server for permission.
PATCH: The $PATCH$ method is used to apply partial modifications to a resource. While $PUT$ replaces the entire resource, $PATCH$ provides a set of instructions on how to change it. For example, a $PATCH$ request might just contain the instruction to change a user's email address, leaving the username and other fields untouched. This can be more efficient than sending the entire resource representation back and forth. $PATCH$ is not safe and, importantly, is not necessarily idempotent. For example, a patch instruction like "add 10 to the user's score" would produce a different result if sent twice.
CONNECT: The $CONNECT$ method establishes a tunnel to the server identified by the target resource. It is primarily used to create a secure $HTTPS$ connection through an $HTTP$ proxy server. The client asks the proxy to make a TCP connection to the destination server, and once established, the proxy simply relays data back and forth without inspecting the encrypted traffic.
TRACE: The $TRACE$ method performs a message loop-back test along the path to the target resource. It allows a client to see what (if any) changes or additions have been made by intermediate servers (like proxies) to the request message. It is a debugging and diagnostic tool. Due to potential security risks (Cross-Site Tracing), it is often disabled on production web servers.

Understanding Safety vs. Idempotency

Two of the most important but often confused properties of HTTP methods are safety and idempotency. Let's clarify the difference.

Safety

A method is safe if it is intended for read-only operations. When a client makes a safe request, it does not expect any change to the state of the resource on the server. It's like asking a librarian for the table of contents of a book; your question doesn't change the book itself.

Safe Methods: $GET$ , $HEAD$ , $OPTIONS$ , $TRACE$

Unsafe Methods: $POST$ , $PUT$ , $DELETE$ , $PATCH$

Idempotency

A method is idempotent if sending an identical request multiple times has the same effect on the server as sending it just once. The outcome on the server must be the same after the first request and after the Nth request. It's like setting the volume on your TV to 15. The first time you do it, the volume changes. If you do it again, the volume remains 15. The end state is the same.

Idempotent Methods: $GET$ , $HEAD$ , $PUT$ , $DELETE$ , $OPTIONS$ , $TRACE$

Non-Idempotent Methods: $POST$ , $PATCH$ (generally)

Key distinction: Safety is about not changing things (read), while idempotency is about ensuring the same final state upon repetition (write once). All safe methods are by definition also idempotent, but not all idempotent methods are safe ( $PUT$ and $DELETE$ are idempotent because they result in a specific state, but they are not safe because they change that state).