2.2.5.8 X-HTTP-Method

This header is a custom HTTP request header defined by this document.

It is possible to instruct network intermediaries (proxies, firewalls, and so on) inspecting traffic at the application protocol layer (for example, HTTP) to block requests that contain certain HTTP verbs. In practice, GET and POST verbs are rarely blocked (traditional web pages rely heavily on these HTTP methods), while, for a variety of reasons (such as security vulnerabilities in prior protocols), other HTTP methods (PUT, DELETE, and so on) are at times blocked by intermediaries. Additionally, some existing HTTP libraries do not allow creation of requests using verbs other than GET or POST. Therefore, an alternative way of specifying request types which use verbs other than GET and POST is needed to ensure that this document works well in a wide range of environments.

To address this need, the X-HTTP-Method header can be added to a POST request that signals that the server MUST process the request not as a POST, but as if the HTTP verb specified as the value of the header was used as the method on the HTTP request's request line, as specified in [RFC2616] section 5.1. This technique is often referred to as "verb tunneling".

This header is valid only when on POST requests. A server MAY<57> support verb tunneling as defined in the preceding paragraph. If a server implementing this document does not support verb tunneling, it MUST ignore an X-HTTP-Method header, if present in a POST request, and treat the request as a standard POST request. This implies that a client of such a data service has to determine in advance (using server documentation and so on) if a given data service endpoint supports verb tunneling. A tunneled request sent to a service that does not support verb tunneling interprets the request as an insert request since POST requests map to an insert request, as specified in [RFC5023].

The syntax of the X-HTTP-Method is defined as follows:

 XHTTPMethod  =   "X-HTTP-Method: " 
                 ("PUT" 
                 / "MERGE" 
                 / "PATCH"
                 / "DELETE") 
                 CRLF 

For example, the HTTP request in the following Delete Request Tunneled in a POST Request listing instructs the server to delete the EntityType instance identified by EntityKey value 5 in the Categories EntitySet instead of performing an insert operation.

 POST /Categories(5) 
 HTTP/1.1 
 Host: server 
 X-HTTP-Method: DELETE 

Listing: Delete Request Tunneled in a POST Request