HTTP Methods Cheatsheet - Online GET POST PUT DELETE Guide

HTTP Methods Reference Updated for 2024 • RESTful API Design

HTTP Methods Cheatsheet

A comprehensive guide to HTTP request methods — GET, POST, PUT, DELETE, PATCH, HEAD, OPTIONS, TRACE, and CONNECT. Learn when to use each method, their properties, and RESTful API best practices.

Methods

Safe

Idempotent

Cacheable

Body Allowed

REST Core

Select a Method

GET

Retrieve a resource

Safe Idempotent Cacheable

POST

Create a new resource

Not Safe Not Idempotent

PUT

Replace / upsert a resource

Not Safe Idempotent

DEL

DELETE

Remove a resource

Not Safe Idempotent

PAT

PATCH

Partial update

Not Safe Not Idempotent*

HED

HEAD

Get headers only (no body)

Safe Idempotent Cacheable

OPT

OPTIONS

Discover allowed methods

Safe Idempotent

TRC

TRACE

Diagnostic loop-back test

Safe Idempotent

CON

CONNECT

Establish a tunnel

Not Safe

GET

GET Method

Retrieve a representation of a resource

The GET method is used to retrieve data from a specified resource. It is the most common HTTP method and forms the backbone of data retrieval on the web. GET requests should only retrieve data and have no other side effects — they are considered safe and idempotent.

GET /api/users/123 HTTP/1.1
Host: api.example.com
Accept: application/json
Authorization: Bearer token_here

Key Properties
                             Safe — No side effects
                             Idempotent — Multiple identical requests = same result
                             Cacheable — Responses can be cached
                        
Request Body: ❌ Not recommended | Success Code: 200 OK | Common Use: Fetching web pages, API data retrieval, search queries

POST

POST Method

Create a new subordinate resource

The POST method submits data to be processed by the identified resource. It is commonly used to create new resources, submit form data, or trigger server-side operations. POST is not safe and not idempotent — multiple identical requests may create multiple resources.

POST /api/users HTTP/1.1
Host: api.example.com
Content-Type: application/json

{
  "name": "John Doe",
  "email": "john@example.com"
}

Key Properties
                             Not Safe — Modifies server state
                             Not Idempotent — Duplicate requests create duplicates
                        
Request Body: ✅ Required | Success Code: 201 Created | Common Use: Form submissions, API resource creation, file uploads

PUT

PUT Method

Replace or create a resource at a specific URI

The PUT method replaces all representations of a target resource with the request payload. It is idempotent — sending the same request multiple times produces the same result. Use PUT when you know the exact URI of the resource and want to fully replace it.

PUT /api/users/123 HTTP/1.1
Host: api.example.com
Content-Type: application/json

{
  "name": "Jane Doe",
  "email": "jane@example.com"
}

Key Properties
                             Not Safe — Modifies server state
                             Idempotent — Repeated calls yield same resource state
                        
Request Body: ✅ Required | Success Code: 200 OK / 204 No Content | Common Use: Full resource replacement, upsert operations

DEL

DELETE Method

Remove the specified resource

The DELETE method removes the specified resource from the server. It is idempotent — deleting a resource that's already been deleted should still return a success (usually 204 or 404). DELETE requests typically do not include a body.

DELETE /api/users/123 HTTP/1.1
Host: api.example.com
Authorization: Bearer token_here

Key Properties
                             Not Safe — Removes data permanently
                             Idempotent — Deleting twice = same outcome
                        
Request Body: ❌ Rarely used | Success Code: 200 OK / 204 No Content | Common Use: Removing resources, account deletion, cascading deletes

PAT

PATCH Method

Apply partial modifications to a resource

The PATCH method applies partial updates to a resource. Unlike PUT (which replaces the entire resource), PATCH only modifies the fields provided. It can be idempotent or non-idempotent depending on the implementation. JSON Patch (RFC 6902) and JSON Merge Patch (RFC 7396) are common formats.

PATCH /api/users/123 HTTP/1.1
Host: api.example.com
Content-Type: application/json

{
  "email": "newemail@example.com"
}

Key Properties
                             Not Safe — Modifies server state
                             May be Idempotent* — Depends on implementation
                        
Request Body: ✅ Required | Success Code: 200 OK / 204 No Content | Common Use: Partial updates, field-level modifications

HED

HEAD Method

Identical to GET but returns only headers

The HEAD method is identical to GET except the server MUST NOT return a message body in the response. It's useful for checking if a resource exists, testing links, checking content length before downloading, and validating cached resources.

HEAD /api/files/large-document.pdf HTTP/1.1
Host: api.example.com

# Response: Status + Headers only, NO body

Key Properties
                             Safe — No side effects
                             Idempotent
                             Cacheable
                        
Request Body: ❌ Not allowed | Success Code: 200 OK | Common Use: Checking resource existence, Content-Length inspection, cache validation

OPT

OPTIONS Method

Describe communication options for the target resource

The OPTIONS method requests information about the communication options available for the target resource. It's essential for CORS preflight requests and API discovery. The response includes an Allow header listing supported methods.

OPTIONS /api/users HTTP/1.1
Host: api.example.com
Origin: https://myapp.com
Access-Control-Request-Method: DELETE

Key Properties
                             Safe
                             Idempotent
                        
Request Body: ❌ Not recommended | Success Code: 200 OK / 204 No Content | Common Use: CORS preflight, API capability discovery

TRC

TRACE Method

Perform a message loop-back test

The TRACE method echoes back the received request so the client can see what intermediate servers are adding or modifying. It's primarily used for diagnostic purposes and debugging. Note: Many servers disable TRACE due to security concerns (cross-site tracing attacks).

TRACE / HTTP/1.1
Host: api.example.com
X-Custom-Header: test-value

# Response: Exact request echoed back

Key Properties
                             Safe
                             Idempotent
                        
Request Body: ❌ Not allowed | Success Code: 200 OK | Common Use: Debugging proxy chains (often disabled for security)

CON

CONNECT Method

Establish a tunnel to the server

The CONNECT method establishes a network tunnel (typically TLS/SSL) through a proxy server. It's primarily used for HTTPS connections through HTTP proxies, creating an end-to-end encrypted tunnel between the client and destination server.

CONNECT api.example.com:443 HTTP/1.1
Host: api.example.com:443
Proxy-Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l

Key Properties
                             Not Safe — Establishes tunnel
                        
Request Body: ❌ Not applicable | Success Code: 200 OK | Common Use: HTTPS proxy tunneling, WebSocket upgrade via proxy

HTTP Status Codes Quick Reference

Every HTTP response includes a status code. Here are the most commonly used codes you'll encounter when working with RESTful APIs.

2xx Success

200	OK — Request succeeded
201	Created — Resource created
202	Accepted — Processing
204	No Content — Success, no body

3xx Redirection

301	Moved Permanently
302	Found — Temporary redirect
304	Not Modified — Use cache
307	Temporary Redirect (preserve method)

4xx Client Errors

400	Bad Request — Malformed syntax
401	Unauthorized — Authentication required
403	Forbidden — No permission
404	Not Found — Resource doesn't exist
405	Method Not Allowed
409	Conflict — State conflict
422	Unprocessable Entity
429	Too Many Requests — Rate limit

5xx Server Errors

500	Internal Server Error
502	Bad Gateway
503	Service Unavailable
504	Gateway Timeout

RESTful API Endpoint Conventions

Action	Method	Endpoint	Example	Response
List all	GET	`/users`	`/api/users`	200 + array
Get one	GET	`/users/{id}`	`/api/users/42`	200 + object
Create	POST	`/users`	`/api/users`	201 + object
Full update	PUT	`/users/{id}`	`/api/users/42`	200 / 204
Partial update	PATCH	`/users/{id}`	`/api/users/42`	200 / 204
Delete	DELETE	`/users/{id}`	`/api/users/42`	200 / 204
Nested resource	GET	`/users/{id}/posts`	`/api/users/42/posts`	200 + array

HTTP Methods Decision Flow

Start: Need to interact with /api/resource Read data? → GET Create new? → POST Replace all? → PUT Change part? → PATCH Remove? → DELETE

Frequently Asked Questions

Common questions about HTTP methods, RESTful API design, and best practices.

PUT replaces the entire resource with the request payload. If a field is omitted in a PUT request, it's assumed the field should be removed or reset to default. PATCH applies a partial update — only the fields specified in the request body are modified, and all other fields remain unchanged. Use PUT for full replacements and PATCH for selective field updates. PUT is always idempotent; PATCH may or may not be idempotent depending on the implementation.

An idempotent HTTP method produces the same result on the server regardless of how many times it is executed. For example, sending the same DELETE request twice still results in the resource being deleted (the second call returns 404, but the server state is the same as after the first call). GET, HEAD, PUT, DELETE, OPTIONS, and TRACE are idempotent. POST is not idempotent — sending the same POST request twice creates two separate resources.

A safe HTTP method is one that does not modify the server's state — it's read-only. Safe methods are: GET, HEAD, OPTIONS, and TRACE. Safe methods can be called without any risk of changing data, making them ideal for crawling, link checking, and caching. Note that even safe methods can have side effects like logging or analytics tracking, but they should never alter the resource itself.

Technically, the HTTP/1.1 specification does not explicitly forbid sending a body with a GET request. However, it is strongly discouraged and most servers, proxies, and libraries ignore or reject GET request bodies. Many frameworks strip the body from GET requests entirely. If you need to send complex query parameters, use URL query strings or consider using POST for search endpoints.

Use POST when the server determines the resource's URI (e.g., POST /users → server assigns ID and returns /users/123). Use PUT when the client specifies the exact URI (e.g., PUT /users/123 — the client knows the ID). POST is for creating subordinate resources where the server controls the naming; PUT is for upsert operations where the client controls the resource identifier.

CORS (Cross-Origin Resource Sharing) is a browser security mechanism that restricts cross-origin HTTP requests. When a browser makes a cross-origin request that is not "simple" (e.g., uses custom headers or methods other than GET/POST/HEAD), it first sends an OPTIONS preflight request to check if the server allows the actual request. The server responds with headers like Access-Control-Allow-Methods and Access-Control-Allow-Origin indicating what's permitted.

Common practice is to return 200 OK with a response body (e.g., the deleted resource) or 204 No Content with no body. If the resource doesn't exist, you can return 404 Not Found, though since DELETE is idempotent, some APIs return 204 even if the resource was already deleted. For asynchronous deletions, 202 Accepted is appropriate.

TRACE is disabled due to Cross-Site Tracing (XST) attacks. Attackers can use TRACE to echo back HTTP headers that may contain sensitive information like authentication cookies or tokens. Since TRACE reflects the entire request, it can be exploited to bypass the HttpOnly cookie flag. Most modern web servers (Apache, Nginx, IIS) disable TRACE by default for security reasons.

The standard CRUD-to-HTTP mapping is: Create → POST (create a new resource), Read → GET (retrieve one or many resources), Update → PUT or PATCH (PUT for full replacement, PATCH for partial updates), and Delete → DELETE (remove a resource). This pattern forms the foundation of RESTful API design and is widely adopted across the industry.

Yes, using POST for complex search queries is a common and accepted practice. When search parameters are too long or complex for URL query strings, or when you need to send a JSON body with nested filters, POST to an endpoint like /api/search is appropriate. Some APIs use POST /api/users/search with a JSON body containing filter criteria. While GET is ideal for simple queries, POST is acceptable for complex search operations.

Best Practices

Use Plural Nouns

Use /users not /user. Consistency makes your API predictable and intuitive for developers.

Version Your API

Prefix endpoints with /v1/ or use header-based versioning to avoid breaking existing clients.

Return Proper Status Codes

Always return the appropriate HTTP status code. Don't return 200 OK with an error message in the body.

Use Proper HTTP Headers

Set Content-Type, Accept, and caching headers. Use Location header for 201 responses.

New

HTML Symbol Entities Cheatsheet - Online Search & Copy

Search and copy HTML entities for arrows, math, currency, and symbols. See the glyph and code. Fast reference.

Developer Tools cheatsheet copy HTML entities symbol

New

HTTP Link Header Generator - Online Preload & DNS‑Prefetch

Construct HTTP Link headers for server push replacements, preload, and preconnect. Copy the header value.

Developer Tools generator Link header performance preload

New

Express Route Snippet Generator - Online Node.js API

Enter a resource name and HTTP method to get a complete Express route handler with try/catch and comments.

Developer Tools Express generator Node route

New

Random HTTP Status Code Generator - Online Dev Test

Click to get a random HTTP status code with its name and description. See 418 I'm a teapot. Fun for devs.

Developer Tools fun HTTP random status code

New

JavaScript Regex Cheatsheet - Online Interactive Pattern Reference

Interactive cheatsheet for JavaScript regular expressions with live examples. Click any token to see its explanation and test it on sample text immediately.

Developer Tools cheatsheet JavaScript reference regex

New

Selection & Range API Demo - Online Get/Set Selection

Select text and see the Selection object properties. Create ranges programmatically. Understand how rich‑text editors work.

Developer Tools API demo Range Selection

New

Random Crypto Key Generator - Online Create API Tokens & Secrets

Generate strong random strings for API tokens, session secrets, or encryption keys. Uses crypto.getRandomValues().

Generator crypto generator key token

New

Remove Specific Color - Online Extract or Delete Hue

Select a color in an image and completely remove it or make it transparent. Great for background removal experiments. Local.

Editor delete hue image remove color

New

Blob URL Generator - Online Create Temporary Object URL

Create a Blob from text or a file and generate a temporary URL for it. Understand the Blob API. Dev demo.

Developer Tools Blob generator object URL

New

Interactive Regex Cheatsheet - Online Quick Reference

An interactive reference for regular expression tokens. Click a token to see its explanation and example. Learn regex faster.

Developer Tools cheatsheet interactive reference regex

New

Ingredient Substitution Finder - Online What to Use Instead

Search for common ingredient substitutions (e.g., buttermilk, egg, cornstarch). Quick reference for when you're missing something. Local data.

Cooking Tools finder ingredient substitute

New

Google Apps Script Web App Boilerplate - Online Starter Code

Generate the doGet() and doPost() boilerplate for a Google Apps Script web app. Ready to paste into the editor.

Developer Tools boilerplate generator Google Apps Script web app

New

URL Canonicalizer - Online Normalize & Compare

Enter two URLs and see if they resolve to the same canonical form after normalization. Find duplicate content issues.

Developer Tools canonical compare normalize URL

New

Backpack Weight Planner – Online Distribute Load & Reduce kg

List each item with weight, see total load. Color-coded recommendations for reducing pack weight. Local storage.

Planner backpack optimizer weight

New

Code Screenshot Generator - Online Carbon Code Image Maker

Create beautiful, syntax-highlighted screenshots of your code snippets. Choose themes and export as PNG. All client-side canvas rendering.

Developer Tools code screenshot image share syntax

New

Wood Joint Selector – Online Choose Based on Load & Look

Answer questions about project type and strength needed to get a joint recommendation. Animations.

Home & DIY selector wood joint woodworking

New

Markdown Table Generator - Online Visual Builder & Formatter

Create and format Markdown tables by adjusting rows and columns. Align text, copy the raw Markdown. Perfect for README files.

Developer Tools generator maker Markdown table table

New

Random Dessert Recipe - Online Sweet Treat Idea Generator

Get a random dessert recipe with ingredients and steps. From cakes to cookies. Solve your sweet cravings. Local database.

Food baking dessert random recipe

New

Gradient Match Game - Online Drag & Match Linear CSS

Recreate the target CSS linear gradient by adjusting stops and colors. A unique game for front‑end developers to master gradients.

Developer Tools CSS game gradient match

New

Dynamic Placeholder Image Service - Online Test Images

Generate dynamic placeholder images by specifying width, height, colors, and text. View instantly as a URL you can embed in mockups. Canvas-based.

Developer Tools dynamic image mockup placeholder

New

SDS Chemical Safety Lookup – Online Section Reference

Enter a common chemical name to see summary hazard pictograms and precautions. Quick reference.

Reference lookup safety data sheet SDS

New

IndexedDB Browser - Online View & Edit Client‑Side DB

Explore your website’s IndexedDB databases and object stores. Add, delete, and inspect records. Like phpMyAdmin for IndexedDB.

Debugging browser IndexedDB storage viewer

New

IndexedDB Browser - Online View & Edit Client‑Side DB

Explore your website’s IndexedDB databases and object stores. Add, delete, and inspect records. Like phpMyAdmin for IndexedDB.

Debugging browser IndexedDB storage viewer

New

Babel Config Generator - Online Presets & Plugins

Choose Babel presets (env, React, TypeScript) and plugins. Get a clean babel.config.json to transpile your code. Local tool.

Developer Tools Babel config generator JavaScript

New

Stencil.js Component Generator - Online Web Component Starter

Fill in a component name and generate a complete Stencil.js component with TSX, CSS, and test files. Quick start.

Developer Tools generator starter Stencil web component

New

touch‑action CSS Playground - Online Gesture Control

Limit browser gestures on an element: pan‑x, pinch‑zoom, manipulation. Draw on a canvas to test. Mobile dev helper.

Developer Tools CSS gesture mobile touch‑action

New

Remove White Background - Online Make Transparent

Automatically remove white background from an image and make it transparent. Adjust tolerance. Save as PNG.

Editor image remove background transparency white

New

Image Background Blur Tool - Online Portrait Depth Effect

Apply a blur effect to image background while keeping the subject sharp. Simple brush selection for area to keep sharp. CSS+Canvas implementation, local only.

Editor background blur image portrait

New

Video Color Filter - Online Apply Tint to Video in Browser

Apply real-time CSS filters or canvas effects to a video and download the processed output. Experiment with video post-processing locally.

Editor color filter editing tint video

New

Sudoku Generator - Online Play & Create 9x9 Puzzles

Generate a random Sudoku puzzle with a unique solution. Choose difficulty and type numbers on the board. Timer and mistake counter.

Entertainment 9x9 generator puzzle Sudoku