About1
An HTTP method (HTTP verb) is safe if it doesn’t alter the state of the server . In other words, a method is safe if it leads to a read-only operation . Several common HTTP methods are safe: GET method , HEAD method or OPTIONS method . All safe methods are also idempotent , but not all idempotent methods are safe. For example, PUT method and DELETE method are both idempotent but unsafe.
Even if safe methods have a read-only semantic, servers can alter their state : e.g., they can log or keep statistics . What is important here is that by calling a safe method, the client doesn’t request any server change itself, and therefore won’t create an unnecessary load or burden for the server . Browsers can call safe methods without fearing to cause any harm to the server; this allows them to perform activities like pre-fetching without riks. Web crawlers also rely on calling safe methods.
It is responsibility of the application on the server to implement the safe semantic correctly, the web server itself, being Apache, Nginx or IIS, can’t enforce it by itself. In particular, an application should not allow GET requests to alter its state .
Calling a safe method
GET /pageX.html HTTP/1.1
A call to a non-safe method, that may change the state of the server :
POST /pageX.html HTTP/1.1
A call to an idempotent but non-safe method:
DELETE /idX/delete HTTP/1.1
Anki
Links
References
MDN. “safe”. Available at: https://developer.mozilla.org/en-US/docs/Glossary/Safe/HTTP . (Accessed: ). ↩︎