Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why should you delete using an HTTP POST or DELETE, rather than GET?

I have been working through Microsoft's ASP.NET MVC tutorials, ending up at this page

http://www.asp.net/learn/mvc/tutorial-32-cs.aspx

The following statement is made towards the bottom of this page:

In general, you don’t want to perform an HTTP GET operation when invoking an action that modifies the state of your web application. When performing a delete, you want to perform an HTTP POST, or better yet, an HTTP DELETE operation.

Is this true? Can anyone offer a more detailed explanation for the rationale behind this statement?

Edit

Wikipedia states the following:

Some methods (for example, HEAD, GET, OPTIONS and TRACE) are defined as safe, which means they are intended only for information retrieval and should not change the state of the server.

By contrast, methods such as POST, PUT and DELETE are intended for actions which may cause side effects either on the server

like image 327
Richard Ev Avatar asked Apr 24 '09 14:04

Richard Ev


People also ask

Is http delete POST or get?

The HTTP DELETE method is used to delete a resource from the server. Unlike GET and HEAD requests, the DELETE requests may change the server state. Sending a message body on a DELETE request might cause some servers to reject the request. But you still can send data to the server using URL parameters.

Should you use http delete?

If you POST or event GET to do a DELETE, you're simply misusing HTTP methods that are clearly defined respectively as methods to create a new resource and retrieve an existing resource. Use integration tests to ensure a junior dev can't alter API behaviour.

Can we delete using HTTP GET?

However, whether you use POST or DELETE does not matter for CSRF-protection purposes. As long as you do not use GET for calls which are not safe, everything is fine.

What is the difference between POST and delete?

PUT and DELETE are in the middle between GET and POST. The difference between PUT or DELETE and POST is that PUT and DELETE are idempotent, whereas POST is not. PUT and DELETE can be repeated if necessary.


1 Answers

Jon Skeet's answer is the canonical answer. But: Suppose you have a link:

href = "\myApp\DeleteImportantData.aspx?UserID=27" 

and the google-bot comes along and indexes your page? What happens then?

like image 78
Chris Cudmore Avatar answered Oct 20 '22 10:10

Chris Cudmore