DEV Community

Cover image for HTTP QUERY Is Here — And Your Infrastructure Isn't Ready For It
NotMe
NotMe

Posted on

HTTP QUERY Is Here — And Your Infrastructure Isn't Ready For It

HTTP QUERY Is Here — And Your Infrastructure Isn't Ready For It

In June 2026, the IETF published RFC 10008, standardizing a new HTTP method: QUERY. It's the first new standard HTTP method since PATCH in 2010, and it fixes a compromise developers have lived with for 16+ years: how do you send a large, structured, read-only request without abusing POST?

QUERY combines:

  • Safe — no state change on the server
  • Idempotent — repeat it, get the same result
  • Cacheable — like GET
  • Has a request body — like POST
QUERY /orders HTTP/1.1
Host: api.example.com
Content-Type: application/json
Accept: application/json

{
  "status": "active",
  "filters": { "region": "eu", "amount_gt": 500 }
}
Enter fullscreen mode Exit fullscreen mode

Notably, Cloudflare and Akamai engineers co-authored the RFC alongside Julian Reschke — a strong signal that edge/CDN support is coming faster than framework support.

Below: the three questions actually worth debating right now.


1. Caching: Solved in Spec, Unsolved in Practice

With GET, the cache key is just the URL. With QUERY, the cache key must incorporate the request body, since the "identity" of the request now lives partly in the payload.

This creates real engineering work for caching layers:

  • The proxy/CDN must buffer the body before it can even compute a cache key
  • It must hash the body alongside the URI
  • It should ideally normalize semantically-identical payloads (e.g., whitespace or key-order differences in JSON) so equivalent queries hit the same cache entry — otherwise cache hit rates collapse

This isn't hypothetical difficulty — it's exactly the gap that exists in current CDN cache-key implementations today. Cloudflare Workers' cache key, for example, is built from path and query string; request bodies do not currently partition the cache because only GET/HEAD are cacheable in existing implementations. QUERY breaks that assumption entirely, and CDNs will need dedicated logic before QUERY caching is trustworthy in production.

Bottom line: QUERY can be cached correctly per spec, but until CDNs ship QUERY-aware cache-key logic, treat "QUERY is cacheable" as a promise, not a guarantee your edge layer honors today.


2. Why WAFs and Security Layers Flag QUERY as Malicious

This is the most immediate real-world pain point. Reasons boil down to:

  • Method allowlists predate the RFC. WAFs, API gateways, and load balancers typically enumerate accepted methods (GET, POST, PUT, DELETE, PATCH). An unrecognized method often gets rejected outright, or worse, misrouted.
  • QUERY looks like an anomaly to signature-based rules. A "GET-like" request carrying a JSON body doesn't match existing heuristics tuned to associate bodies with mutation, so some systems flag it as suspicious traffic or a protocol violation.
  • CORS treats it as non-safelisted. QUERY is not a CORS-safelisted method, meaning browser JavaScript must trigger a preflight OPTIONS request — infrastructure that doesn't expect QUERY may not handle that preflight correctly either.
  • CSRF middleware assumptions break. Libraries that assume "safe methods = no body = no CSRF risk" now have a method that's safe and carries a body, which some implementations weren't designed to reason about.

Practical takeaway: before adopting QUERY, audit — don't assume — how your WAF, gateway, CDN, and CSRF middleware treat unrecognized methods. Some will drop it silently, which is worse than an explicit rejection.


3. Architectural Benefits Over POST-for-Search

Moving from POST /search to QUERY /search isn't cosmetic — it restores semantics the protocol actually enforces:

POST-for-read QUERY
Cacheable No (POST responses aren't cached by default) Yes, by spec
Safe/idempotent Not signaled to intermediaries Explicit
Auto-retry on failure Unsafe to assume Safe by definition
Redirect behavior 301/302 often converts to GET and drops the body 301/302/307/308 preserve the method and body
Browser/proxy semantics Assumed mutation Correctly identified as a read

The GraphQL ecosystem is the clearest beneficiary — GraphQL has used POST for all operations (including reads) purely to carry a body, sacrificing HTTP-level caching and safe retries in the process. QUERY gives that read path a semantically correct home without changing the query language itself.

For REST APIs with complex filter/search payloads (nested objects, arrays, boolean logic), QUERY also removes the need to cram parameters into URLs, which historically broke on length limits (varying wildly across browsers/proxies, often 2–8KB) and leaked sensitive parameters into logs and browser history.


Should You Use It in Production Today?

Not yet, but start preparing:

  • Spec status: Final (Proposed Standard, RFC 10008) — this isn't a draft anymore
  • Client support: No native fetch() support until WHATWG acts; curl and HTTP libraries are catching up
  • Server frameworks: Early/partial support (e.g., .NET 10 already supports it); most frameworks haven't shipped yet
  • Edge/CDN: Best positioned to move fast given Cloudflare/Akamai authorship, but no confirmed general-availability cache handling yet

Action items if you're evaluating QUERY:

  1. Watch your framework and CDN changelogs for explicit QUERY support announcements
  2. Audit WAF/gateway method allowlists now — don't wait for a 405 in production
  3. If you're stuck tunneling GraphQL or complex filters through POST, start scoping the migration path, but keep POST as the production path until infra support is confirmed

What's your stack's current behavior when it receives an unrecognized HTTP method — silent drop, 405, or does it pass through? Worth checking before QUERY traffic shows up in the wild.

Top comments (0)