Editing HTTP (section)

==== Safe methods ====
A request method is ''safe'' if a request with that method has no intended effect on the server. The methods GET, HEAD, OPTIONS, and TRACE are defined as safe. In other words, safe methods are intended to be [[Command–query separation|read-only]]. Safe methods can still have [[Side effect (computer science)|side effects]] not seen by the client, such as appending request information to a [[Server log|log file]] or charging an [[Web banner|advertising account]].

In contrast, the methods POST, PUT, DELETE, CONNECT, and PATCH are not safe. They may modify the state of the server or have other effects such as sending an [[email]]. Such methods are therefore not usually used by conforming [[Internet bot|web robots]] or web crawlers; some that do not conform tend to make requests without regard to context or consequences.

Despite the prescribed safety of GET requests, in practice their handling by the server is not technically limited in any way. Careless or deliberately irregular programming can allow GET requests to cause non-trivial changes on the server. This is discouraged because of the problems which can occur when [[web caching]], [[search engines]], and other automated agents make unintended changes on the server. For example, a website might allow deletion of a resource through a URL such as ''<nowiki>https://example.com/article/1234/delete</nowiki>'', which, if arbitrarily fetched, even using GET, would simply delete the article.<ref name="oreilly-get-rails">{{cite book |last=Ediger |first=Brad |date=2007-12-21 |title=Advanced Rails: Building Industrial-Strength Web Apps in Record Time |url=https://shop.oreilly.com/product/9780596510329.do |publisher=O'Reilly Media, Inc. |page=188 |isbn= 978-0596519728 |quote=A common mistake is to use GET for an action that updates a resource. [...] This problem came into the Rails public eye in 2005, when the Google Web Accelerator was released.}}</ref> A properly coded website would require a DELETE or POST method for this action, which non-malicious bots would not make.

One example of this occurring in practice was during the short-lived [[Google Web Accelerator]] beta, which prefetched arbitrary URLs on the page a user was viewing, causing records to be automatically altered or deleted ''en masse''. The [[Beta test|beta]] was suspended only weeks after its first release, following widespread criticism.<ref>{{cite web |url=https://blogs.adobe.com/cantrell/archives/2005/06/what_have_we_le.html |title=What Have We Learned From the Google Web Accelerator? |last=Cantrell |first=Christian |archive-url=https://web.archive.org/web/20170819161233/https://blogs.adobe.com/cantrell/archives/2005/06/what_have_we_le.html |archive-date=2017-08-19 |date=2005-06-01 |website=Adobe Blogs |publisher=Adobe |access-date=2018-11-19 |url-status=dead }}</ref><ref name="oreilly-get-rails" />