« All posts

HTTP QUERY Method Arrives: Is Your Infrastructure Ready?

IETF's new QUERY HTTP method fixes the POST-for-search compromise, but CDN, WAF, and framework support still lag behind. A practical engineering guide to what's ready and what isn't.

In June 2026 the IETF finalized RFC 10008, standardizing QUERY — the first new HTTP method since PATCH in 2010. QUERY merges GET's safe, idempotent, cacheable semantics with POST's ability to carry a request body, finally giving developers a proper way to send large, structured, read-only requests instead of abusing POST for 16-plus years. Notably, the RFC was co-authored by Cloudflare and Akamai engineers, suggesting edge/CDN adoption will outpace framework support.

Still, real gaps separate spec from practice. Caching is possible in theory, but today's CDNs derive cache keys purely from the URL; supporting QUERY requires buffering, hashing, and normalizing the request body too — infrastructure that mostly doesn't exist yet. More urgently, WAFs, API gateways, CORS preflight logic, and CSRF middleware often reject or silently drop unrecognized methods, meaning QUERY traffic could break in production before anyone notices.

GraphQL stands out as the clearest beneficiary, since it has used POST for all operations — including reads — purely to carry a payload, at the cost of HTTP-level caching and safe retries. REST APIs with complex filter or search payloads also gain, avoiding URL length limits and the leakage of sensitive parameters into logs and browser history. The practical advice for engineers: audit WAF and gateway method allowlists now, track framework and CDN changelogs for explicit QUERY support, and keep POST as the production path until infrastructure support is confirmed.

» SourceDev.to