<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: NotMe</title>
    <description>The latest articles on DEV Community by NotMe (@notme36912).</description>
    <link>https://dev.to/notme36912</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3922238%2F623f417a-ddf8-4ea5-ad67-a06c314157f4.jpg</url>
      <title>DEV Community: NotMe</title>
      <link>https://dev.to/notme36912</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/notme36912"/>
    <language>en</language>
    <item>
      <title>HTTP QUERY Is Here — And Your Infrastructure Isn't Ready For It</title>
      <dc:creator>NotMe</dc:creator>
      <pubDate>Wed, 08 Jul 2026 02:39:02 +0000</pubDate>
      <link>https://dev.to/notme36912/http-query-is-here-and-your-infrastructure-isnt-ready-for-it-43ge</link>
      <guid>https://dev.to/notme36912/http-query-is-here-and-your-infrastructure-isnt-ready-for-it-43ge</guid>
      <description>&lt;h1&gt;
  
  
  HTTP QUERY Is Here — And Your Infrastructure Isn't Ready For It
&lt;/h1&gt;

&lt;p&gt;In June 2026, the IETF published &lt;strong&gt;RFC 10008&lt;/strong&gt;, standardizing a new HTTP method: &lt;strong&gt;QUERY&lt;/strong&gt;. It's the first new standard HTTP method since PATCH in 2010, and it fixes a compromise developers have lived with for 16+ years: &lt;em&gt;how do you send a large, structured, read-only request without abusing POST?&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;QUERY combines:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Safe&lt;/strong&gt; — no state change on the server&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Idempotent&lt;/strong&gt; — repeat it, get the same result&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Cacheable&lt;/strong&gt; — like GET&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Has a request body&lt;/strong&gt; — like POST
&lt;/li&gt;
&lt;/ul&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight http"&gt;&lt;code&gt;&lt;span class="nf"&gt;QUERY&lt;/span&gt; &lt;span class="nn"&gt;/orders&lt;/span&gt; &lt;span class="k"&gt;HTTP&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="m"&gt;1.1&lt;/span&gt;
&lt;span class="na"&gt;Host&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s"&gt;api.example.com&lt;/span&gt;
&lt;span class="na"&gt;Content-Type&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s"&gt;application/json&lt;/span&gt;
&lt;span class="na"&gt;Accept&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s"&gt;application/json&lt;/span&gt;

&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"status"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"active"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"filters"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nl"&gt;"region"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"eu"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nl"&gt;"amount_gt"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;500&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Notably, Cloudflare and Akamai engineers co-authored the RFC alongside Julian Reschke — a strong signal that edge/CDN support is coming faster than framework support.&lt;/p&gt;

&lt;p&gt;Below: the three questions actually worth debating right now.&lt;/p&gt;




&lt;h2&gt;
  
  
  1. Caching: Solved in Spec, Unsolved in Practice
&lt;/h2&gt;

&lt;p&gt;With GET, the cache key is just the URL. With QUERY, &lt;strong&gt;the cache key must incorporate the request body&lt;/strong&gt;, since the "identity" of the request now lives partly in the payload.&lt;/p&gt;

&lt;p&gt;This creates real engineering work for caching layers:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;The proxy/CDN must &lt;strong&gt;buffer the body&lt;/strong&gt; before it can even compute a cache key&lt;/li&gt;
&lt;li&gt;It must &lt;strong&gt;hash the body&lt;/strong&gt; alongside the URI&lt;/li&gt;
&lt;li&gt;It should ideally &lt;strong&gt;normalize semantically-identical payloads&lt;/strong&gt; (e.g., whitespace or key-order differences in JSON) so equivalent queries hit the same cache entry — otherwise cache hit rates collapse&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;This isn't hypothetical difficulty — it's exactly the gap that exists in current CDN cache-key implementations today. Cloudflare Workers' cache key, for example, is built from path and query string; &lt;strong&gt;request bodies do not currently partition the cache&lt;/strong&gt; because only GET/HEAD are cacheable in existing implementations. QUERY breaks that assumption entirely, and CDNs will need dedicated logic before QUERY caching is trustworthy in production.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Bottom line:&lt;/strong&gt; QUERY &lt;em&gt;can&lt;/em&gt; be cached correctly per spec, but until CDNs ship QUERY-aware cache-key logic, treat "QUERY is cacheable" as a promise, not a guarantee your edge layer honors today.&lt;/p&gt;




&lt;h2&gt;
  
  
  2. Why WAFs and Security Layers Flag QUERY as Malicious
&lt;/h2&gt;

&lt;p&gt;This is the most immediate real-world pain point. Reasons boil down to:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Method allowlists predate the RFC.&lt;/strong&gt; WAFs, API gateways, and load balancers typically enumerate accepted methods (&lt;code&gt;GET, POST, PUT, DELETE, PATCH&lt;/code&gt;). An unrecognized method often gets rejected outright, or worse, misrouted.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;QUERY looks like an anomaly to signature-based rules.&lt;/strong&gt; A "GET-like" request carrying a JSON body doesn't match existing heuristics tuned to associate bodies with mutation, so some systems flag it as suspicious traffic or a protocol violation.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;CORS treats it as non-safelisted.&lt;/strong&gt; QUERY is &lt;em&gt;not&lt;/em&gt; a CORS-safelisted method, meaning browser JavaScript must trigger a preflight &lt;code&gt;OPTIONS&lt;/code&gt; request — infrastructure that doesn't expect QUERY may not handle that preflight correctly either.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;CSRF middleware assumptions break.&lt;/strong&gt; Libraries that assume "safe methods = no body = no CSRF risk" now have a method that's safe &lt;em&gt;and&lt;/em&gt; carries a body, which some implementations weren't designed to reason about.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Practical takeaway:&lt;/strong&gt; before adopting QUERY, audit — don't assume — how your WAF, gateway, CDN, and CSRF middleware treat unrecognized methods. Some will drop it silently, which is worse than an explicit rejection.&lt;/p&gt;




&lt;h2&gt;
  
  
  3. Architectural Benefits Over POST-for-Search
&lt;/h2&gt;

&lt;p&gt;Moving from &lt;code&gt;POST /search&lt;/code&gt; to &lt;code&gt;QUERY /search&lt;/code&gt; isn't cosmetic — it restores semantics the protocol actually enforces:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;&lt;/th&gt;
&lt;th&gt;POST-for-read&lt;/th&gt;
&lt;th&gt;QUERY&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Cacheable&lt;/td&gt;
&lt;td&gt;No (POST responses aren't cached by default)&lt;/td&gt;
&lt;td&gt;Yes, by spec&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Safe/idempotent&lt;/td&gt;
&lt;td&gt;Not signaled to intermediaries&lt;/td&gt;
&lt;td&gt;Explicit&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Auto-retry on failure&lt;/td&gt;
&lt;td&gt;Unsafe to assume&lt;/td&gt;
&lt;td&gt;Safe by definition&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Redirect behavior&lt;/td&gt;
&lt;td&gt;301/302 often converts to GET and &lt;strong&gt;drops the body&lt;/strong&gt;
&lt;/td&gt;
&lt;td&gt;301/302/307/308 preserve the method and body&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Browser/proxy semantics&lt;/td&gt;
&lt;td&gt;Assumed mutation&lt;/td&gt;
&lt;td&gt;Correctly identified as a read&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;The GraphQL ecosystem is the clearest beneficiary — GraphQL has used POST for all operations (including reads) purely to carry a body, sacrificing HTTP-level caching and safe retries in the process. QUERY gives that read path a semantically correct home without changing the query language itself.&lt;/p&gt;

&lt;p&gt;For REST APIs with complex filter/search payloads (nested objects, arrays, boolean logic), QUERY also removes the need to cram parameters into URLs, which historically broke on &lt;strong&gt;length limits&lt;/strong&gt; (varying wildly across browsers/proxies, often 2–8KB) and leaked &lt;strong&gt;sensitive parameters into logs and browser history&lt;/strong&gt;.&lt;/p&gt;




&lt;h2&gt;
  
  
  Should You Use It in Production Today?
&lt;/h2&gt;

&lt;p&gt;Not yet, but start preparing:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Spec status:&lt;/strong&gt; Final (Proposed Standard, RFC 10008) — this isn't a draft anymore&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Client support:&lt;/strong&gt; No native &lt;code&gt;fetch()&lt;/code&gt; support until WHATWG acts; curl and HTTP libraries are catching up&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Server frameworks:&lt;/strong&gt; Early/partial support (e.g., .NET 10 already supports it); most frameworks haven't shipped yet&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Edge/CDN:&lt;/strong&gt; Best positioned to move fast given Cloudflare/Akamai authorship, but no confirmed general-availability cache handling yet&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Action items if you're evaluating QUERY:&lt;/strong&gt;&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Watch your framework and CDN changelogs for explicit QUERY support announcements&lt;/li&gt;
&lt;li&gt;Audit WAF/gateway method allowlists now — don't wait for a 405 in production&lt;/li&gt;
&lt;li&gt;If you're stuck tunneling GraphQL or complex filters through POST, start scoping the migration path, but keep POST as the production path until infra support is confirmed&lt;/li&gt;
&lt;/ol&gt;




&lt;p&gt;&lt;em&gt;What's your stack's current behavior when it receives an unrecognized HTTP method — silent drop, 405, or does it pass through? Worth checking before QUERY traffic shows up in the wild.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>webdev</category>
      <category>ai</category>
      <category>trend</category>
      <category>http</category>
    </item>
  </channel>
</rss>
