HTTP methods
ClientQuick reference for common HTTP/1.1 request methods: typical safety (no server-side side effects intended), idempotency (repeating the request), and whether a message body is usual—pair with the status code list when debugging.
Reference
?
Values reflect typical HTTP/1.1 semantics (RFC 9110). APIs may impose stricter rules; always read your framework and server documentation.
9 methods
Try examples
| Method | Safe | Idempotent | Body | Summary |
|---|---|---|---|---|
| GET | Yes | Yes | usually no | Retrieve a resource representation.Payload on GET is discouraged and may be ignored by intermediaries—use query parameters instead.Body: usually no |
| HEAD | Yes | Yes | usually no | Same as GET but without a response body (headers only).Body: usually no |
| POST | No | No | usually yes | Submit data to be processed (create actions, RPC-style calls).Body: usually yes |
| PUT | No | Yes | usually yes | Replace a resource at a known URI (full representation).Body: usually yes |
| PATCH | No | No | usually yes | Apply partial changes to a resource.Idempotency depends on implementation; repeated PATCH may not be safe in all APIs.Body: usually yes |
| DELETE | No | Yes | optional | Remove a resource.First DELETE may succeed; later DELETEs often return 404—still considered idempotent in effect.Body: optional |
| OPTIONS | Yes | Yes | optional | Describe communication options for the target (often CORS preflight).Body: optional |
| TRACE | Yes | Yes | usually no | Echo the received request (rare; often disabled).Security-sensitive; many proxies and servers disable TRACE.Body: usually no |
| CONNECT | No | No | optional | Establish a tunnel (often HTTPS through HTTP proxy).Used for tunneling; not a typical REST CRUD verb.Body: optional |
Common use cases
- Check whether DELETE is considered idempotent before designing a retry policy.
- Contrast GET vs HEAD when you only need headers or cache validation.
- Read OPTIONS alongside status codes when debugging CORS preflight.
Common mistakes to avoid
Treating this table as a substitute for your API contract
Frameworks may restrict bodies on certain verbs or add custom semantics—always read your API spec.
Assuming PATCH is always idempotent
RFC semantics are not fully idempotent for PATCH; repeated calls may differ by implementation.
Sending sensitive data with GET
URLs and query strings are logged broadly—use POST or another appropriate verb for secrets.
FAQ
Is this list sent to Toolcore?
No. Filtering and display run entirely in your browser.
Why does GET say “usually no” for a body?
HTTP does not forbid a body on GET, but intermediaries and caches often ignore or strip it—parameters belong in the URI.
Where do CONNECT and TRACE fit in REST APIs?
They are infrastructure or diagnostic methods—most REST CRUD designs use GET/POST/PUT/PATCH/DELETE only.
More tools
Related utilities you can open in another tab—mostly client-side.
HTTP status codes
ClientHTTP response status reference: search 1xx–5xx, short meanings, copy status lines—client-side.
SemVer compare & sort
ClientCompare two versions or sort a list—Semantic Versioning 2.0.0, prerelease order—client-side.
MIME types & file extensions
ClientLook up common MIME types from extensions (and vice versa)—filterable table, copy Content-Type—client-side.
User-Agent parser
ClientBrowser, OS, and device from a UA string—useful for logs and debugging.