CONNECT turns proxies into dumb pipes for HTTPS tunneling. TRACE echoes requests for debugging—but its transparency made it a security liability. Two specialized HTTP methods with very different fates.
DELETE is the only HTTP method that asks 'are you sure?'—because destruction, unlike creation, doesn't have an undo button. Here's how to implement it safely.
GET requests are questions—they retrieve data without changing anything. This simple rule enables caching, prefetching, and automatic retries. Break it, and browsers might delete your users' accounts.
HEAD asks servers about resources without downloading them—checking if files exist, how large they are, and when they changed, all without transferring a single byte of content.
HTTP methods are promises about consequences. GET says 'I will only look.' POST says 'Something will change.' Understanding these contracts explains why browsers warn you before refreshing a form, why some requests can be cached and others can't, and how the entire web stays coherent.
The network doesn't tell you whether your request succeeded—it tells you whether it heard back. Idempotency is how you build systems that handle this uncertainty.
OPTIONS asks servers 'what can I do here?' But its real job is stranger: it's the browser asking permission on behalf of JavaScript it doesn't fully trust.
POST doesn't ask for data—it acts on the server. Understanding this distinction is the key to forms, APIs, and secure web applications.
PUT replaces the entire resource—omit a field and it's gone. PATCH modifies only what you specify. The choice determines what happens to the fields you don't mention.
Was this page helpful?