HTTP Finally Settled the GET vs POST Family Feud
- Sundaram Sharma

- 3 days ago
- 3 min read
For years, API architects and web developers have had to compromise when implementing advanced search endpoints. Complex filtering often meant choosing between cramming large amounts of data into a GET request URL and using a POST request, despite the latter not aligning with REST semantics.
That long-standing limitation was addressed in June 2026, when the Internet Engineering Task Force (IETF) published RFC 10008, officially introducing the QUERY HTTP method. It marks the first new standard HTTP method since PATCH was standardized in 2010.
Why GET and POST Fall Short
Modern applications frequently require rich search capabilities with nested filters, sorting, pagination, and complex criteria. Existing HTTP methods each solve part of the problem but introduce significant trade-offs.
GET: Correct Semantics, Practical Limitations
The GET method is intended for retrieving resources. It is both safe—meaning it does not modify server state—and idempotent, allowing repeated requests to produce the same result.
Despite these advantages, every parameter must be encoded into the URL, creating several practical issues.
URL Length Constraints
Although the HTTP specification doesn't define a maximum URL length, browsers, proxies, CDNs, and load balancers commonly impose limits of around 8 KB. Large filter objects or deeply nested search criteria can quickly exceed these restrictions.
Exposure of Sensitive Data
Since URLs are routinely logged by web servers, reverse proxies, and monitoring systems, sensitive search parameters such as email addresses, customer IDs, or personal identifiers may unintentionally appear in application logs.
POST: Flexible Payload, Incorrect Semantics
To avoid URL limitations, developers often send search filters in the body of a POST request.
While this approach is technically functional, it comes with semantic drawbacks because POST is intended for operations that create or modify resources.
As a result:
HTTP clients generally treat POST as non-idempotent, making automatic retries unsafe.
Intermediaries such as CDNs and reverse proxies typically do not cache POST responses by default.
APIs lose the semantic clarity that distinguishes read operations from state-changing actions.
Introducing the QUERY Method (RFC 10008)
The new QUERY method bridges the gap between GET and POST.
It allows clients to submit complex query data inside the request body while preserving the safety and idempotency guarantees traditionally associated with GET.
According to RFC 10008:
"A QUERY requests that the request target process the enclosed content in a safe and idempotent manner and then respond with the result of that processing."
This enables developers to send structured query payloads without overloading the request URL.
Example
QUERY /products/search HTTP/1.1
Host: api.example.com
Content-Type: application/json
Accept: application/json
{
"category": "electronics",
"price": { "lte": 500 },
"tags": ["smart-home", "wireless"],
"sort": "-rating"
}
The server processes the supplied query and returns the matching results using a standard 200 OK response.
Comparing GET, POST, and QUERY
Feature | GET | POST | QUERY |
Request body | No defined semantics | Yes | Yes |
Safe | Yes | No | Yes |
Idempotent | Yes | No | Yes |
Cacheable | Yes | Limited | Yes |
Automatic retries | Yes | No | Yes |
Notable Features of QUERY
1. Required Content-Type
Unlike GET, a QUERY request must include a valid Content-Type header that accurately describes the request body.
If the header is missing or inconsistent with the payload, the server is expected to reject the request. This guarantees that the server can correctly interpret formats such as application/json, application/sql, or other supported query languages.
2. Cache-Friendly by Design
Because QUERY is both safe and idempotent, responses are eligible for caching.
However, caches cannot rely solely on the request URL. They must also incorporate the request body—typically by hashing it—when generating the cache key. This enables efficient caching of complex searches that would otherwise be impossible with traditional URL-based caching.
3. Discovering Supported Query Formats
Servers can advertise the query formats they accept using the new Accept-Query response header.
Accept-Query: application/json, application/sql
This allows clients to determine which payload formats are supported before sending a request.
Current Adoption
Although RFC 10008 is now an official standard, ecosystem support is still evolving.
Backend frameworks are beginning to add native support. For example, .NET 10 includes HttpMethod.Query.
Browser APIs, including fetch(), are gradually introducing support for the new method. Since QUERY is a non-simple HTTP method, cross-origin requests require a CORS preflight (OPTIONS) request.
Infrastructure components such as API gateways, load balancers, and Web Application Firewalls may require configuration updates. Older deployments may reject unknown HTTP methods or ignore request bodies sent with QUERY.
Conclusion
The QUERY method fills a gap that has existed in HTTP for years. It combines the expressive request body of POST with the safety, idempotency, and cacheability of GET, allowing APIs to support sophisticated search operations without sacrificing protocol semantics.
While adoption across browsers and infrastructure will take time, QUERY is already a compelling option for internal services and controlled API environments. As support expands, it has the potential to become the preferred standard for complex, read-only query operations.




Comments