Home/ Questions/Q 84959
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-10T22:00:50+00:00

When issuing an HTTP DELETE request, the request URI should completely identify the resource

  • 0

When issuing an HTTP DELETE request, the request URI should completely identify the resource to delete. However, is it allowable to add extra meta-data as part of the entity body of the request?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. The spec does not explicitly forbid or discourage it, so I would tend to say it is allowed.

    Microsoft sees it the same way (I can hear murmuring in the audience), they state in the MSDN article about the DELETE Method of ADO.NET Data Services Framework:

    If a DELETE request includes an entity body, the body is ignored […]

    Additionally here is what RFC2616 (HTTP 1.1) has to say in regard to requests:

    • an entity-body is only present when a message-body is present (section 7.2)
    • the presence of a message-body is signaled by the inclusion of a Content-Length or Transfer-Encoding header (section 4.3)
    • a message-body must not be included when the specification of the request method does not allow sending an entity-body (section 4.3)
    • an entity-body is explicitly forbidden in TRACE requests only, all other request types are unrestricted (section 9, and 9.8 specifically)

    For responses, this has been defined:

    • whether a message-body is included depends on both request method and response status (section 4.3)
    • a message-body is explicitly forbidden in responses to HEAD requests (section 9, and 9.4 specifically)
    • a message-body is explicitly forbidden in 1xx (informational), 204 (no content), and 304 (not modified) responses (section 4.3)
    • all other responses include a message-body, though it may be of zero length (section 4.3)

    Update

    And in RFC 9110 (June 2022), The fact that request bodies on GET, HEAD, and DELETE are not interoperable has been clarified.

    section 9.3.5 Delete

    Although request message framing is independent of the method used, content received in a DELETE request has no generally defined semantics, cannot alter the meaning or target of the request, and might lead some implementations to reject the request and close the connection because of its potential as a request smuggling attack (Section 11.2 of [HTTP/1.1]). A client SHOULD NOT generate content in a DELETE request unless it is made directly to an origin server that has previously indicated, in or out of band, that such a request has a purpose and will be adequately supported. An origin server SHOULD NOT rely on private agreements to receive content, since participants in HTTP communication are often unaware of intermediaries along the request chain.

    • 0