Allowed HTTP Methods

Understand what HTTP methods to judiciously allow for better security as REST APIs are built on HTTP methods.

In this lesson, we’ll try to understand why we should restrict the use of some HTTP methods. So, first, let’s have a primer on the HTTP methods used in REST—which are safe, which are idempotent, and which are cacheable.


Hypertext Transfer Protocol (HTTP) is an application layer protocol for transmitting hypermedia documents, such as HTML. Hypermedia, an extension of the term hypertext, is a nonlinear medium of information that includes graphics, audio, video, plain text, and hyperlinks.

A few points about HTTP

  • It is designed to be a stateless protocol, which means there is no state information—for example, which user is logged in, what the attributes of the user are, and so on.
  • It is a request-response model. In this request-response model, a client computer or software requests data or services, and a server computer or software responds to the request by providing the data or service.
  • It is line-based, meaning every header starts on a new line.

Common methods in HTTP

Even though HTTP defines many methods, GET and POST are the most commonly used ones. It is rather odd that HTML only supports GET and POST. Other HTTP methods, even if valid, are not supported directly in HTML and need to use JavaScript or AJAX calls.

Safe, idempotent, and cacheable

An HTTP method is safe if it is not changing in the server and only getting the data.

An HTTP method is idempotent if the same request is executed any number of times; the result is the same.

An HTTP method is cacheable if it allows storing the information for future use.

Get hands-on with 1200+ tech skills courses.