What is idempotency in HTTP methods?

by

What is idempotency in HTTP methods?

Idempotency is a property of HTTP methods.

A request method is considered idempotent if the intended effect on the server of multiple identical requests with that method is the same as the effect for a single such request. And it’s worthwhile to mention that idempotency is about the effect produced on the state of the resource on the server and not about the response status code received by the client.

To illustrate this, consider the DELETE method, which is defined as idempotent. Now consider a client performs a DELETE request to delete a resource from the server. The server processes the request, the resource gets deleted and the server returns 204. Then the client repeats the same DELETE request and, as the resource has already been deleted, the server returns 404.

Despite the different status code received by the client, the effect produced by a single DELETE request is the same effect of multiple DELETE requests to the same URI.

Finally, requests with idempotent methods can be repeated automatically if a communication failure occurs before the client is able to read the server’s response. The client knows that repeating the request will have the same intended effect, even if the original request succeeded, though the response might be different.

RFC 7231

Let’s have a look at the RFC 7231, the document defines the semantics and the content of the HTTP/1.1 protocol. See the quotes below (highlights are mine).

HTTP methods can be safe:

4.2.1. Safe Methods

Request methods are considered “safe” if their defined semantics are essentially read-only; i.e., the client does not request, and does not expect, any state change on the origin server as a result of applying a safe method to a target resource. […]

This definition of safe methods does not prevent an implementation from including behavior that is potentially harmful, that is not entirely read-only, or that causes side effects while invoking a safe method. What is important, however, is that the client did not request that additional behavior and cannot be held accountable for it. […]

Of the request methods defined by this specification, the GET, HEAD, OPTIONS, and TRACE methods are defined to be safe. […]

And/or idempotent:

4.2.2. Idempotent Methods

A request method is considered “idempotent” if the intended effect on the server of multiple identical requests with that method is the same as the effect for a single such request. Of the request methods defined by this specification, PUT, DELETE, and safe request methods are idempotent. […]

Like the definition of safe, the idempotent property only applies to what has been requested by the user; a server is free to log each request separately, retain a revision control history, or implement other non-idempotent side effects for each idempotent request. […]

Summarizing, the HTTP methods are classified as following:

+---------+------+------------+
| Method  | Safe | Idempotent |
+---------+------+------------+
| CONNECT | no   | no         |
| DELETE  | no   | yes        |
| GET     | yes  | yes        |
| HEAD    | yes  | yes        |
| OPTIONS | yes  | yes        |
| POST    | no   | no         |
| PUT     | no   | yes        |
| TRACE   | yes  | yes        |
+---------+------+------------+

RFC 5789

The RFC 5789 defines the PATCH method, which is neither safe nor idempotent. However, to prevent collisions, PATCH requests can be issued such a way as to be idempotent, as quoted below:

A PATCH request can be issued in such a way as to be idempotent, which also helps prevent bad outcomes from collisions between two PATCH requests on the same resource in a similar time frame. Collisions from multiple PATCH requests may be more dangerous than PUT collisions because some patch formats need to operate from a known base-point or else they will corrupt the resource. Clients using this kind of patch application SHOULD use a conditional request such that the request will fail if the resource has been updated since the client last accessed the resource. For example, the client can use a strong ETag in an If-Match header on the PATCH request.

More Related Contents:

  1. Do I need Content-Type: application/octet-stream for file download?
  2. What requests do browsers’ “F5” and “Ctrl + F5” refreshes generate?
  3. CORS with POSTMAN
  4. URL matrix parameters vs. query parameters
  5. HTTP redirect: 301 (permanent) vs. 302 (temporary)
  6. Is there a practical HTTP Header length limit?
  7. Why do I need to use http.StripPrefix to access my static files?
  8. How to make external HTTP requests with Node.js [closed]
  9. What is the difference between HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR?
  10. What is the difference between PUT, POST and PATCH?
  11. What’s the difference between a 302 and a 307 redirect?
  12. Should I URL-encode POST data?
  13. What, at the bare minimum, is required for an HTTP request?
  14. How to spoof http referer
  15. Why am I getting “(304) Not Modified” error on some links when using HttpWebRequest?
  16. Difference between Content-Range and Range headers?
  17. HTTP POST request in Inno Setup Script
  18. URL hash is persisting between redirects
  19. How WebSocket server handles multiple incoming connection requests?
  20. nginx close upstream connection after request
  21. Official references for default values of concurrent HTTP/1.1 connections per server? [closed]
  22. Does the HTTP Protocol support multiple content types in response headers?
  23. How to cancel a HTTPRequest in Angular 2?
  24. Sending browser cookies during a 302 redirect
  25. Is the Content-Length header required for a HTTP/1.0 response?
  26. What is the difference between server side cookie and client side cookie?
  27. Console errors. Failed to load resource: net::ERR_INSECURE_RESPONSE
  28. What to do with errors when streaming the body of an Http request
  29. Standard method for HTTP partial upload, resume upload
  30. How to perform an HTTP POST request in ASP?

Leave a Comment