
The New HTTP QUERY Method: Why GET and POST Weren't Enough
Have you ever built a search feature and hit a wall because your filters were too long for a URL? 😅 Yeah, me too. You start with a clean GET /search?q=... request, everything's happy, and then someone adds ten more filters and suddenly your URL looks like a ransom note.
Most of us just switch to POST at that point and move on with our lives. It works, sure. But it always felt a little... off. POST is meant for creating or changing things, not for asking a question.
Turns out the IETF felt the same way. In June 2026, they published RFC 10008, which defines a brand-new HTTP method called QUERY. It's built specifically to fix this exact headache. Let's break down what it is, why it matters, and how you'd actually use it. 🚀
What Is the HTTP QUERY Method?
Think of HTTP methods like different types of requests you can make to a waiter at a restaurant.
- GET is like pointing at a menu item. Simple, safe, repeatable — you can point at it a hundred times and nothing changes.
- POST is like telling the waiter "surprise me, and also charge my card." It might change something, and doing it twice could mean two charges.
- QUERY is the new one: it's like handing the waiter a detailed written note describing exactly what you want, but with a promise attached — "this is just a question, not an order, so ask it as many times as you need."
In technical terms, QUERY lets you send a request with a body (just like POST), but it's explicitly marked as safe and idempotent — meaning it won't change server state, and repeating it is completely fine.
Here's what it looks like in practice:
QUERY /feed HTTP/1.1
Host: example.org
Content-Type: application/x-www-form-urlencoded
q=foo&limit=10&sort=-published
Compare that to the old GET-with-a-giant-URL approach:
GET /feed?q=foo&limit=10&sort=-published HTTP/1.1
Host: example.org
Same intent, but QUERY moves the data into the body, where it belongs when things get complex.
Why This Topic Matters
You might be thinking, "okay, cool, but why should I care about one new HTTP verb?" Fair question. Here's the real-world pain it solves:
1. URL length limits are real. The spec itself points out that request URIs often need to stay under roughly 8000 characters. If your search has a dozen filters, a full-text query, and some tags, you can blow past that fast.
2. URLs get logged everywhere. Proxies, browser history, server logs, analytics tools — they all love to record URLs. If your "query" contains anything sensitive, that's a problem. A request body is far less likely to get logged the same way.
3. POST breaks caching and safe retries. If your query is actually a POST, browsers and caches can't safely retry it after a dropped connection, because POST might have side effects. QUERY tells everyone in the chain: "relax, this is just a read."
If you've ever debugged a flaky search endpoint or worried about sensitive data leaking into a URL, this method was made for you.
Benefits with Real-Life Examples
-
Cleaner architecture for complex searches. Imagine an e-commerce filter with brand, price range, size, color, and rating. With QUERY, all of that lives in a structured request body instead of a mile-long URL string. Way easier to read and maintain.
-
Safe automatic retries. Since QUERY is idempotent, your HTTP client (or a proxy) can safely resend the request if the connection drops — no risk of accidentally triggering something twice, unlike a risky POST retry.
-
Built-in caching support. RFC 10008 explains that responses to QUERY requests are cacheable, similar to GET. So a cache can store the result and serve it again for an identical query, saving your server some work.
-
Content negotiation like a champ. The
Accept-Queryheader lets a server advertise which query formats it understands — say,application/sqlorapplication/jsonpath— so clients know exactly what to send before they even try. -
Optional shareable URLs. A server can still hand back a
Locationheader pointing to a URI that represents the same query, so you can bookmark or share a query result if you want to — you're just not forced to cram everything into the URL upfront.
GET vs POST vs QUERY: Quick Comparison
| GET | QUERY | POST | |
|---|---|---|---|
| Safe (no side effects) | Yes | Yes | Maybe not |
| Idempotent (safe to repeat) | Yes | Yes | Maybe not |
| Has a request body | No defined meaning | Yes, expected | Yes, expected |
| Cacheable | Yes | Yes | Only in special cases |
| Good for long/complex queries | No | Yes | Sort of, but semantics are unclear |
The short version: QUERY gives you POST's flexibility (a body for your data) with GET's safety guarantees (safe, idempotent, cacheable). It really is the best of both worlds for read-only operations.
Best Tips for Using QUERY
- Always set a
Content-Typeheader. The spec is strict here — if it's missing or doesn't match your actual body content, the server is expected to reject the request with a 4xx error. - Check for support first. You can send an
OPTIONSrequest and look at theAllowheader, or check for anAccept-Queryheader, to see if a server actually supports QUERY before relying on it. - Use it for reads only. If your request changes data on the server, that's not a QUERY — stick with POST, PUT, or PATCH for that.
- Take advantage of conditional requests. Just like GET, QUERY supports things like
If-Modified-Since, so you can avoid re-downloading a query result that hasn't changed. - Don't put sensitive data in a
LocationURI. If your query result gets a temporary URL, make sure that URL itself doesn't leak sensitive query details.
Common Mistakes People Make
Mistake 1: Treating QUERY like a normal POST. It's tempting to just swap the method name and call it done. But since QUERY promises to be safe and idempotent, any implementation that changes server state under the hood is technically breaking the contract — even if nothing crashes right away.
Mistake 2: Forgetting that QUERY needs CORS preflight.
If you're calling this from a browser across origins, QUERY isn't in the CORS-safelisted method list, so your browser will send a preflight OPTIONS request first. Skipping this consideration can lead to confusing failures in production.
Mistake 3: Assuming every server supports it already. QUERY is brand new as of this RFC. Many servers, frameworks, and even browsers won't support it out of the box yet. Always check for support instead of assuming.
Mistake 4: Ignoring the Accept-Query header.
If a server tells you exactly which formats it accepts, use that information instead of guessing and getting a 415 Unsupported Media Type response.
Wrapping Up
The HTTP QUERY method fills a real gap that a lot of developers have quietly worked around for years — usually by misusing POST or fighting with URL length limits. Now there's an official, standardized way to send a safe, idempotent request with a full body, and get proper caching and retry behavior for free.
It's not going to replace GET or POST. It's simply the right tool for a very specific job: asking a detailed question without changing anything. If you build APIs with search, filtering, or reporting features, this is worth keeping on your radar as tooling and framework support catches up.
If this cleared things up for you, I'd love for you to share it with a fellow developer who's fighting with a 3,000-character search URL right now. 😄 You can find more practical, beginner-friendly dev content over at hamidrazadev.com — drop a comment if you have questions or your own QUERY use case!
Muhammad Hamid Raza
Content Author
Originally published on Dev.to • Content syndicated with permission
