top of page

HTTP Finally Settled the GET vs POST Family Feud

  • Writer: Sundaram Sharma
    Sundaram Sharma
  • 3 days ago
  • 3 min read

For years, API architects and web developers have had to compromise when implementing advanced search endpoints. Complex filtering often meant choosing between cramming large amounts of data into a GET request URL and using a POST request, despite the latter not aligning with REST semantics.

That long-standing limitation was addressed in June 2026, when the Internet Engineering Task Force (IETF) published RFC 10008, officially introducing the QUERY HTTP method. It marks the first new standard HTTP method since PATCH was standardized in 2010.



Why GET and POST Fall Short

Modern applications frequently require rich search capabilities with nested filters, sorting, pagination, and complex criteria. Existing HTTP methods each solve part of the problem but introduce significant trade-offs.


GET: Correct Semantics, Practical Limitations

The GET method is intended for retrieving resources. It is both safe—meaning it does not modify server state—and idempotent, allowing repeated requests to produce the same result.

Despite these advantages, every parameter must be encoded into the URL, creating several practical issues.


URL Length Constraints

Although the HTTP specification doesn't define a maximum URL length, browsers, proxies, CDNs, and load balancers commonly impose limits of around 8 KB. Large filter objects or deeply nested search criteria can quickly exceed these restrictions.


Exposure of Sensitive Data

Since URLs are routinely logged by web servers, reverse proxies, and monitoring systems, sensitive search parameters such as email addresses, customer IDs, or personal identifiers may unintentionally appear in application logs.



POST: Flexible Payload, Incorrect Semantics

To avoid URL limitations, developers often send search filters in the body of a POST request.

While this approach is technically functional, it comes with semantic drawbacks because POST is intended for operations that create or modify resources.

As a result:

  • HTTP clients generally treat POST as non-idempotent, making automatic retries unsafe.

  • Intermediaries such as CDNs and reverse proxies typically do not cache POST responses by default.

  • APIs lose the semantic clarity that distinguishes read operations from state-changing actions.



Introducing the QUERY Method (RFC 10008)

The new QUERY method bridges the gap between GET and POST.

It allows clients to submit complex query data inside the request body while preserving the safety and idempotency guarantees traditionally associated with GET.


According to RFC 10008:

"A QUERY requests that the request target process the enclosed content in a safe and idempotent manner and then respond with the result of that processing."

This enables developers to send structured query payloads without overloading the request URL.


Example

QUERY /products/search HTTP/1.1

Content-Type: application/json

Accept: application/json


{

  "category": "electronics",

  "price": { "lte": 500 },

  "tags": ["smart-home", "wireless"],

  "sort": "-rating"

}


The server processes the supplied query and returns the matching results using a standard 200 OK response.



Comparing GET, POST, and QUERY

Feature

GET

POST

QUERY

Request body

No defined semantics

Yes

Yes

Safe

Yes

No

Yes

Idempotent

Yes

No

Yes

Cacheable

Yes

Limited

Yes

Automatic retries

Yes

No

Yes


Notable Features of QUERY


1. Required Content-Type

Unlike GET, a QUERY request must include a valid Content-Type header that accurately describes the request body.

If the header is missing or inconsistent with the payload, the server is expected to reject the request. This guarantees that the server can correctly interpret formats such as application/json, application/sql, or other supported query languages.



2. Cache-Friendly by Design

Because QUERY is both safe and idempotent, responses are eligible for caching.

However, caches cannot rely solely on the request URL. They must also incorporate the request body—typically by hashing it—when generating the cache key. This enables efficient caching of complex searches that would otherwise be impossible with traditional URL-based caching.



3. Discovering Supported Query Formats

Servers can advertise the query formats they accept using the new Accept-Query response header.

Accept-Query: application/json, application/sql


This allows clients to determine which payload formats are supported before sending a request.



Current Adoption

Although RFC 10008 is now an official standard, ecosystem support is still evolving.

  • Backend frameworks are beginning to add native support. For example, .NET 10 includes HttpMethod.Query.

  • Browser APIs, including fetch(), are gradually introducing support for the new method. Since QUERY is a non-simple HTTP method, cross-origin requests require a CORS preflight (OPTIONS) request.

  • Infrastructure components such as API gateways, load balancers, and Web Application Firewalls may require configuration updates. Older deployments may reject unknown HTTP methods or ignore request bodies sent with QUERY.



Conclusion

The QUERY method fills a gap that has existed in HTTP for years. It combines the expressive request body of POST with the safety, idempotency, and cacheability of GET, allowing APIs to support sophisticated search operations without sacrificing protocol semantics.

While adoption across browsers and infrastructure will take time, QUERY is already a compelling option for internal services and controlled API environments. As support expands, it has the potential to become the preferred standard for complex, read-only query operations.


 
 
 

Comments


Thanks for subscribing!

bottom of page