KomuraSoft LLC
Chapter 2

HTTP methods — The safe and idempotent promises

Choose between GET, POST, PUT, DELETE, and HEAD by 'what you want done', draw the line with the promises of safe (does not change server state) and idempotent (same result however many times), and use them for retry decisions.

Are you building everything with "just POST it"?

Forms, retrieval, deletion — everything built as POST because it works. Or the reverse: a re-clicked submit button registers an order twice and nobody can find the cause. Method choice is knowledge that lets you get away with vagueness while things merely work — and then bites after the accident happens.

As read in the previous chapter, the method at the front of the request line is the verb of the correspondence. HTTP has many methods, but being able to choose among these five is enough to start.

GET
"Please give me this" — retrieving a resource. Opening a page, loading an image, getting a list from an API
HEAD
"The same answer as GET, minus the body" — when you only want headers such as size or last-modified time
POST
"Please process this" — form submission, creation, and other processing requests. Effects can pile up with each execution
PUT
"Make the content of this URL exactly this" — a replacement aimed at a stated destination (save-and-overwrite)
DELETE
"Please remove the thing at this URL" — a deletion request

For example, PUT /users/42/profile says "make user 42's profile exactly this content", while POST /orders says "process this order data and create a new order". A replacement with a fixed destination is PUT; something newly born or a processing request is POST — that is the basic division.

Practice 2-1 — Choosing among the five verbs

Practice picking the right method from 'what you want done'.

Q1. At the online shop https://shop.example.com, when submitting the contents of an order form to create a new order, which method is most appropriate?

Q2. For a huge video file, you want to know only its size and last-modified time without downloading it. Which method is most appropriate?

Q3. Which best describes the difference between PUT and POST?

Two promises — safe and idempotent

More important than memorizing five verbs are the two promises tied to methods. These two words appear constantly in specifications and in error investigations.

Safe — does not change server state
The "read-only" promise. GET and HEAD qualify. However many times you call them, the server's data does not change
Idempotent — same final state however many times
The promise that whether you run it once or ten times, the server's final state is the same. Besides GET and HEAD, PUT and DELETE qualify

Let us verify this hands-on. Send PUT /users/42/profile replacing the profile with "name = Komura" three times, and the final state is "name = Komura" — the same as once. Send DELETE /orders/7 twice, and the final state — order 7 is gone — is the same (the second call may return 404, but idempotency looks at the server's final state). Meanwhile, send POST /orders three times and three orders exist — POST is not idempotent.

Putting the relations in order: safe always implies idempotent (changing nothing means the result is the same however many times). The converse does not hold — PUT and DELETE sit in the middle band of "changing, but the same however many times": idempotent yet not safe.

Table mapping each of the HTTP methods GET, HEAD, POST, PUT, and DELETE to whether it is safe, whether it is idempotent, and its main use

A map of the five methods laid out on the two axes of safe and idempotent. GET/HEAD keep both promises, PUT/DELETE only idempotency, and POST makes neither promise. This map becomes your decision table for "may I retry?".

Where it pays off in practice — check idempotency before retrying an update

Where these two promises pay off most in practice is the decision to resend (retry) after a communication failure.

When a request times out, there are actually two possibilities: "the request never reached the server", or "it arrived and was fully processed, and only the reply was lost" — and from the client side you cannot tell them apart. This is where idempotency does its work.

Idempotent methods (GET/HEAD/PUT/DELETE)
Even if it was already processed, resending leaves the final state unchanged. You can retry with confidence
Non-idempotent methods (POST)
If it was already processed, a resend means duplicate processing (two orders, two payments). Unconditional retries are dangerous

This is exactly why browsers go out of their way to ask "Resubmit form?" when you reload a POST result page (a scene that reappears in the Chapter 7 cases). It is also why most libraries with built-in automatic retry resend only GET by default — this promise is the justification. "Before retrying an update, check whether the method is idempotent" — repeat it until your hands remember.

Practice 2-2 — Drawing the line between safe and idempotent

State the two promises precisely and tie them to the practical question of 'may I retry?'.

Q4. What promise does it express for a method to be 'safe'?

Q5. Which pair of methods is 'idempotent but not safe'?

Q6. You sent an update API request and it timed out with no response. Before sending the same request again, which is the most appropriate thing to check?

What to take from this chapter

  • The method is the verb of the correspondence. Retrieval is GET, a body-less check is HEAD, processing requests and creation are POST, replacement at a stated destination is PUT, deletion is DELETE
  • Safe = does not change server state (GET/HEAD). Idempotent = same final state however many times (GET/HEAD/PUT/DELETE). Safe always implies idempotent
  • POST is neither safe nor idempotent. Unconditional retries after a timeout risk duplicate processing
  • Check idempotency before retrying an update — the sentence that pays off in practice

Now that you can read the asking side, the next chapter turns to the other half of the correspondence — the server's reply. We decode the 3-digit status codes, starting from the hundreds digit.