Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is there any reason not to use HTTP PUT and DELETE in a web application?

Looking around, I can't name a single web application (not web service) that uses anything besides GET and POST requests. Is there a specific reason for this? Do some browsers (or servers) not support any other types of requests? Or is this only for historical reasons? I'd like to make use of PUT and DELETE requests to make my life a little easier on the server-side, but I'm reluctant to because no one else does.

like image 398
Sasha Chedygov Avatar asked Jul 09 '09 04:07

Sasha Chedygov


People also ask

Should you use HTTP delete?

If you POST or event GET to do a DELETE, you're simply misusing HTTP methods that are clearly defined respectively as methods to create a new resource and retrieve an existing resource. Use integration tests to ensure a junior dev can't alter API behaviour.

Is HTTP PUT insecure?

So, generally HTTP methods like PUT and DELETE are considered to be insecure.

Is put unsafe?

Several common HTTP methods are safe: GET , HEAD , or OPTIONS . All safe methods are also idempotent, but not all idempotent methods are safe. For example, PUT and DELETE are both idempotent but unsafe.

Why should I use Put instead of POST?

Use PUT when we want to modify a singular resource that is already a part of resources collection. PUT replaces the resource in its entirety. Use PATCH if request updates part of the resource. Use POST when you want to add a child resource under resources collection.


2 Answers

Actually a fair amount of people use PUT and DELETE, mostly for non-browser APIs. Some examples are the Atom Publishing Protocol and the Google Data APIs:

  • http://www.ietf.org/rfc/rfc5023.txt
  • http://code.google.com/apis/gdata/docs/2.0/basics.html

Beyond that, you don't see PUT/DELETE in common usage because most browsers don't support PUT and DELETE through Forms. HTML5 seems to be fixing this:

  • http://www.w3.org/TR/html5/forms.html#form-submission-0

The way it works for browser applications is: people design RESTful applications with PUT and DELETE in mind, then "tunnel" those requests through POSTs from the browser. For example, see this SO question on how Ruby on Rails accomplishes this using hidden fields:

  • How can I emulate PUT/DELETE for Rails and GWT?

So, you wouldn't be on your own designing your application with the larger set of HTTP verbs in mind.

EDIT: By the way, if you're curious about why PUT/DELETE are missing from browser based form posts, it turns out there's no real good technical reason. Reading around this thread on the rest-discuss mailing list, especially Roy Fielding's comments, is interesting for some context:

  • http://tech.groups.yahoo.com/group/rest-discuss/message/9620?threaded=1&var=1&l=1&p=13

EDIT: There are some comments on whether AJAX libraries support all the methods. It does come down to the actual browser implementation of XMLHttpRequest. I thought someone might find this link handy, which tests your browser to see how compliant the HttpRequest object is with various HTTP options.

  • http://www.mnot.net/javascript/xmlhttprequest/

Unfortunately, I don't know of a reference which collects these results.

like image 172
ars Avatar answered Sep 18 '22 17:09

ars


Quite simply, the HTML 4.01 form element only allows the values "POST" and "GET" in its method attribute

like image 32
Gareth Avatar answered Sep 18 '22 17:09

Gareth