tool / 66

HTTP Methods

Every HTTP method, with safety / idempotency / cacheability properties and a real-world example.

All local

9/9

GET

Read a resource. Should never have side effects.

✓ safe✓ idempotent✓ cacheable× body

`GET /users/42` — fetch user 42's profile.

HEAD

Same as GET but only returns headers — no body. Useful for checking existence or size before downloading.

✓ safe✓ idempotent✓ cacheable× body

`HEAD /large-file.zip` — get `Content-Length` and `Last-Modified` without downloading.

OPTIONS

Ask the server what methods/headers are allowed. Used by CORS preflight.

✓ safe✓ idempotent× cacheable× body

Browser sends `OPTIONS /api/users` before a CORS POST to check it's allowed.

POST

Create a new resource, or any non-idempotent operation. Multiple POSTs may create multiple resources.

× safe× idempotent× cacheable✓ body

`POST /users` with `{name: "Ada"}` body — creates a new user.

PUT

Replace a resource entirely. Same PUT twice = same result.

× safe✓ idempotent× cacheable✓ body

`PUT /users/42` with the full user object — overwrites everything.

PATCH

Partial update. Send only the fields to change.

× safe× idempotent× cacheable✓ body

`PATCH /users/42` with `{email: "new@example.com"}` — only updates email.

DELETE

Remove a resource. Idempotent — second delete returns 404 or 204.

× safe✓ idempotent× cacheable× body

`DELETE /users/42` — remove user 42.

CONNECT

Establish a tunnel through a proxy. Mostly used for HTTPS via HTTP proxy.

× safe× idempotent× cacheable× body

Browser tells proxy `CONNECT example.com:443` to start a TLS tunnel.

TRACE

Echo the received request — for debugging the request chain. Often disabled for security.

✓ safe✓ idempotent× cacheable× body

Rarely used in practice. XST (cross-site tracing) attacks led most servers to disable it.