HTTP has been the backbone of the web since 1996. In nearly three decades, the core set of methods — GET, POST, PUT, DELETE, PATCH — barely changed. Developers built entire empires of REST APIs on top of them. And for most use cases, they work fine.
But there's been a gap. A structural, annoying, sometimes dangerous gap that every API developer has bumped into at some point: what do you do when you need to search for data, and the search itself is complex?
On July 17, 2026, that gap finally has an official answer. The QUERY HTTP method — standardized on June 15, 2026 and formally defined in RFC 9148 — is the first new addition to the HTTP method family in a very long time. And it solves a real problem that GET and POST never quite handled cleanly.
The Problem: GET Can't Handle Complex Searches
GET is the workhorse of data fetching. You hit a URL, the server gives you data. Simple, clean, cacheable. For straightforward lookups — "give me user 42" or "list all published posts" — GET is perfect.
But modern applications don't always ask simple questions.
Imagine you're building an analytics dashboard. A user wants to filter by twelve different parameters: date ranges, nested geographic regions, specific product categories, user segments with boolean logic, and a free-text search query. That filter set could easily exceed 1,000 bytes.
Here's where GET breaks down. Everything in a GET request lives in the URL. And URLs have practical length limits. Browsers cap them, proxies truncate them, servers reject them. RFC 2616 recommends servers handle at least 8,000 bytes, but many real-world deployments choke well before that.
Worse, those URL parameters get logged everywhere. Browser history captures the full URL. Proxy servers cache it. Server access logs store it. If your search includes sensitive data — a patient ID, a Social Security number fragment, an internal account reference — that information is now sitting in plain text across multiple systems you don't control.
That's not a theoretical concern. That's a real compliance headache.
The Problem: POST Is a Lie
So developers do what developers always do — they hack around the limitation. "Just use POST," someone says in a code review. "You can put a JSON body in a POST request, and the body won't end up in the URL."
Technically true. But semantically wrong.
POST is designed to modify data. It tells the server: "I'm sending you something — create a resource, trigger a process, change some state." That's what HTTP specifications say. That's what web application firewalls expect. That's what server frameworks assume.
When you use POST to search for data, you're lying to every layer in the stack.
This isn't just philosophical purity. It has real consequences:
- Caching breaks. Most HTTP caches — CDNs, reverse proxies, browser caches — won't cache POST responses by default, because POST implies the response could be different every time (since the server state changed).
- Accidental side effects. Some server frameworks and middleware treat POST differently. They might write to audit logs, trigger webhooks, or apply different rate-limiting rules — all because your "search" endpoint looks like a "create" endpoint.
- CSRF risk increases. POST endpoints have different cross-origin security semantics. A search endpoint that uses POST now needs CSRF protection that a GET endpoint wouldn't.
- Retries become dangerous. If a request times out, clients can safely retry a GET (it's idempotent). Retrying a POST might create duplicate records — and your "search" endpoint shouldn't create anything at all.
This mismatch has been a source of bugs, security vulnerabilities, and architectural awkwardness for years. GraphQL, for all its strengths, made it even more common — most GraphQL implementations send queries as POST requests, which means every read operation on a GraphQL API carries the semantic baggage of a write operation.
Enter QUERY: The Right Tool for the Job
The QUERY method is exactly what it sounds like: a GET request that supports a body.
Here's what makes it different:
It's safe and read-only. The QUERY method is defined as a safe, idempotent operation. Sending the same QUERY request ten times in a row will return the same result with zero side effects on the server. No data created, no state changed, no audit trails triggered accidentally.
It supports a request body. Just like POST, you can include structured data — JSON, XML, whatever your API uses — in the request body. Your complex search filters, nested objects, and multi-kilobyte payloads stay out of the URL entirely.
It signals clear intent. When a server receives a QUERY request, there's no ambiguity about what the client wants. It wants to read data. That's it. No need for the server to guess whether this POST is a search or a create operation.
It's natively cacheable. Unlike POST workarounds, QUERY operates at the HTTP protocol layer with proper caching semantics. Caches and CDNs can cache QUERY responses because the method explicitly declares that it won't change server state — something POST can never guarantee.
This last point is worth emphasizing. GraphQL handles complex filtering beautifully, but it works at the application layer. Most GraphQL queries travel as POST requests, and servers typically don't cache POST responses natively. The QUERY method operates at the transport layer, which means HTTP infrastructure — proxies, CDNs, load balancers — can participate in caching without special application-level configuration.
What a QUERY Request Looks Like
If you've ever written an HTTP request, this will feel familiar:
QUERY /api/analytics/events HTTP/1.1
Host: api.example.com
Content-Type: application/json
Accept: application/json
{
"dateRange": {
"start": "2026-01-01",
"end": "2026-06-30"
},
"filters": {
"regions": ["us-west-2", "eu-central-1"],
"eventTypes": ["purchase", "refund"],
"minAmount": 50.00
},
"groupBy": ["region", "month"],
"limit": 100
}
That's it. The URL stays clean. The body carries all the complexity. And every piece of HTTP infrastructure knows this request is a read operation.
The Security Angle: New Method, New Attack Surface
Here's where it gets interesting — and a bit scary.
The QUERY method solves the structural problems of GET and POST for complex reads. But introducing a new HTTP method to the web's infrastructure opens up a significant new playground for attackers and security researchers.
Caching Gets Tricky
QUERY is cacheable, and it has a body. That combination is new to most HTTP infrastructure.
Traditional caching uses the URL and certain headers as the cache key. With QUERY, servers and proxies must include the request body in the cache key as well. If a cache implementation gets this wrong — say it only keys on the URL and ignores the body — different users' search results could leak to each other.
Worse, if sensitive data from the request body ends up in cache logs or debug outputs, you've traded one logging problem (URL parameters in access logs) for another (request bodies in cache debug logs).
Classic Vulnerabilities, New Vectors
Every new HTTP method introduces new opportunities for existing vulnerability classes:
- Input validation failures. Does your WAF validate QUERY request bodies the same way it validates POST bodies? If not, an attacker might smuggle malicious payloads past your defenses.
- Rate limiting gaps. If your rate limiter counts GET and POST requests but doesn't know about QUERY, attackers get free requests.
- CSRF and CORS confusion. Browsers and frameworks need to handle QUERY's cross-origin semantics correctly. In the early adoption phase, misconfigurations are almost guaranteed.
- HTTP request smuggling. Load balancers and reverse proxies that don't understand QUERY might misparse requests, creating smuggling opportunities where the front-end and back-end disagree about where one request ends and the next begins.
- Method confusion. If a WAF or middleware sees an unknown method and falls through to a default handler, it might apply the wrong security policy entirely.
These aren't hypothetical risks. They're the same classes of bugs that appeared when HTTP/2 was introduced, when WebSockets landed, and when every other significant protocol change hit production infrastructure. The pattern is well-established: new protocol features create temporary security gaps until tooling catches up.
Where Adoption Stands
As of mid-2026, adoption is in its early stages:
- Browsers are beginning to add support, but it's not universal yet.
- Web Application Firewalls are updating their rule sets to recognize and properly filter QUERY requests.
- CDNs are rolling out body-aware caching support for QUERY, but configurations vary.
- API frameworks — Express, FastAPI, Spring, ASP.NET — are adding QUERY handlers in their latest releases.
- HTTP client libraries are being updated to support sending QUERY requests.
Full, widespread adoption will take time. This is a protocol-level change, which means every layer of the stack — from the browser to the CDN to the reverse proxy to the application framework to the WAF — needs to understand the new method.
What You Should Do Right Now
If you're a backend developer or API designer:
- Read the RFC. RFC 9148 is the canonical specification. Understand the semantics before you implement.
- Audit your infrastructure. Check whether your reverse proxy, load balancer, and WAF will pass QUERY requests through correctly. Many older configurations block unknown HTTP methods by default.
- Don't rush to production. Start with internal APIs or dev environments. Let your tooling mature before exposing QUERY endpoints to the public internet.
- Update your caching strategy. If you plan to cache QUERY responses, make sure your cache keys include the request body hash, not just the URL.
- Test your security controls. Verify that rate limiting, input validation, CORS, and authentication all work correctly with QUERY — don't assume they do.
If you're a security researcher, this is a massive opportunity. A brand-new HTTP method hitting production infrastructure means fresh attack surface everywhere. Start studying QUERY now, because the bugs that appear during early adoption are often the most impactful.
The Bigger Picture
The QUERY method is not a revolution. It's a correction. For 26 years, developers have been using GET and POST for something neither method was designed to do — and paying the price in security bugs, caching failures, and architectural awkwardness.
QUERY doesn't replace GET. It doesn't replace POST. It fills a gap that should have been filled years ago: a safe, read-only HTTP method that supports a request body.
The protocol is official. The RFC is published. The ecosystem is adapting. Whether you're building APIs, hardening infrastructure, or hunting for vulnerabilities — the QUERY method is something you need to understand.
The web just got a new verb. Use it wisely.
Merits
- Solves URL length limits: Complex search payloads move from URL to request body — no more truncation
- Security improvement: Sensitive search parameters no longer leaked in browser history, access logs, and proxy caches
- Correct semantics: Servers, middleware, and WAFs can distinguish reads from writes without guessing
- Native cacheability: HTTP infrastructure can cache QUERY responses — unlike POST workarounds
- Idempotent and safe: Retries are harmless, which simplifies error handling in distributed systems
- Protocol-level solution: Works across all REST APIs without requiring application-level workarounds like GraphQL
Demerits
- New attack surface: Introduces fresh vectors for smuggling, method confusion, CSRF, and CORS issues
- Caching complexity: Cache implementations must include request body in keys — misconfiguration leaks data
- Slow adoption: Browsers, CDNs, WAFs, and frameworks all need updates before it works reliably end-to-end
- Tooling gaps: Debugging tools, monitoring dashboards, and log parsers may not handle QUERY yet
- Infrastructure blockers: Older reverse proxies and load balancers may silently drop or reject QUERY requests
- False sense of security: Moving parameters out of URLs doesn't eliminate logging risks — bodies can still be logged
Caution
This article discusses the QUERY HTTP method as defined in RFC 9148, standardized in June 2026. Browser support, framework support, and infrastructure compatibility are evolving rapidly. Do not deploy QUERY endpoints in production without verifying that every layer of your stack — from CDN to WAF to application framework — properly handles the new method. Security properties described here assume correct implementation; misconfigured infrastructure can introduce the very vulnerabilities QUERY is designed to prevent. Always test in a controlled environment first.
Frequently asked questions
- What is the HTTP QUERY method and how is it different from GET?
- Can I use QUERY in production APIs right now?
- How does QUERY compare to sending search payloads via POST?
- Will CDNs and proxies cache QUERY responses correctly?
- What security risks does the QUERY method introduce?
- Does QUERY replace GraphQL for complex data fetching?
- How do I add QUERY support to my Express or FastAPI application?
- What happens if my WAF doesn't recognize the QUERY method?
Tags
#http #query-method #rfc-9148 #api-design #web-security #rest-api #caching #http-methods


Responses
Sign in to leave a response.