POST request just to run a search , not to create anything, not to change any state, just to query some data with a complex filter body , you were bending the rules. We all did it. It was the only real option. But as of June 2026, the IETF has officially standardized RFC 10008, and the HTTP QUERY method is now a real thing.This isn't a minor tweak.And is the first genuinely new HTTP method to be standardized in roughly 16 years. If you build APIs, work with REST, or just care about doing HTTP correctly, you'll want to understand what changed and why it matters.
Key Takeaways
RFC 10008 officially standardizes the QUERY HTTP method as of June 2026. It allows a request body while being safe and idempotent.And solves the long-standing problem of sending complex search parameters that don't fit in a URL. Responses can be cached by intermediaries, unlike POST. Browser and framework support is still early, but you can use it today with a POST fallback strategy . Try QUERY, get a 405 Method Not Allowed, fall back to POST. Simple.
The Problem That Needed Solving
Here's the situation most API developers know intimately. You have a search endpoint. The query is complex , nested filters, date ranges, geospatial parameters, a full structured query object. You want to use GET because the operation is read-only. You're not creating anything, not modifying state. Pure query.
But GET has no body. Technically the HTTP spec doesn't forbid one, but most HTTP clients ignore it, many servers strip it, and intermediaries like proxies and CDNs have no idea what to do with it. So you cram everything into the URL as query parameters. And when that gets too long . URLs have practical length limits around 2,000 to 8,000 characters depending on client and server . You hit a wall.
The workaround? POST. Send a POST with a JSON body describing your query. It works. But semantically, POST means "create something" or "trigger a side effect." Caches won't touch POST responses. You lose idempotency guarantees. You're essentially lying to every layer of the stack about what the request is doing.
That's the gap QUERY fills.
What the HTTP QUERY Method Actually Is
The QUERY method, defined in [RFC 10008], is built for exactly one purpose: requesting a server process a query described in the request body, safely and idempotently.
Those two words carry a lot of weight. Safe means the request doesn't modify server state . Reading data, filtering results, searching. Idempotent means you can send the same request multiple times and get the same result, no side effects stacking up.
GET is both. POST is neither. QUERY is both, but unlike GET, it carries a request body. That's the whole point.
A basic QUERY request looks like this:
QUERY /products HTTP/1.1
Host: api.example.com
Content-Type: application/json
{
"filters". {
"category". "electronics",
"price_max". 500,
"in_stock". True
},
"sort": "price_asc",
"page": 1
}Server processes the body as query input, returns matching results. No state changes.And side effects. Just data.
Caching: The Big Win
This is where QUERY really separates itself from the POST workaround. Because it's defined as safe and idempotent, HTTP caches , CDNs, reverse proxies, browser caches , are allowed to cache the responses.
With POST, caches generally refuse to store responses because POST implies mutation. You had to add custom cache headers, build cache keys based on request bodies, or roll your own caching layer entirely. Messy, fragile, and annoying to maintain.
With QUERY, a CDN can see the method is safe, inspect the request body as part of the cache key, and serve cached results for identical queries. For search-heavy APIs at scale, this is a meaningful performance improvement. Not a nice-to-have. An actual win.
How QUERY Compares to GET and POST
| Feature | GET | POST | QUERY |
|---|---|---|---|
| Request body | No | Yes | Yes |
| Safe | Yes | No | Yes |
| Idempotent | Yes | No | Yes |
| Cacheable | Yes | No | Yes |
| Bookmarkable | Yes | No | Potentially |
| Semantic meaning | Retrieve resource | Create/action | Query with body |
QUERY isn't replacing GET or POST. It's filling the gap both methods left open.
Using QUERY Today: The Fallback Pattern
Browser support and framework support are still catching up. Honest reality. But you don't have to wait. The recommended approach from early adopters is a simple progressive fallback: send a QUERY request with your body, and if the server responds with 405 Method Not Allowed, fall back to POST, then cache whichever succeeded.
In JavaScript:
async function queryEndpoint {
let response = await fetch,
});
if {
// Server doesn't support QUERY yet, fall back to POST
response = await fetch,
});
}
return response.json().
}As more servers and intermediaries adopt QUERY support, your clients automatically start using it correctly. No code changes needed down the line.
Server-Side Support: Go, .NET, and Beyond
Adding QUERY support server-side is straightforward in most frameworks since it's just another HTTP method string. In Go:
mux.HandleFunc("QUERY /search", func(w http.ResponseWriter, r *http.Request) {
var query SearchQuery
json.NewDecoder(r.Body).Decode(&query)
results := performSearch(query)
json.NewEncoder(w).Encode(results)
})Go's net/http package handles custom methods without special configuration. Similar patterns work in Node.js with Express, Python with FastAPI, and .NET , where ASP.And Core in .Plus 10 is adding native QUERY support as part of its HTTP method handling updates.
The server-side story is actually pretty smooth.Still harder part is getting clients, CDNs, and proxies to recognize and correctly handle QUERY semantics. That will take time and adoption pressure.
What This Means for API Design
If you're designing a new API today, QUERY gives you a cleaner vocabulary. Search endpoints, complex filter operations, aggregation queries — they all have a proper home now. No more awkwardly shoehorning them into POST /search and then writing documentation explaining "yes, this POST doesn't create anything, it just searches." That sentence has appeared in more API docs than anyone wants to admit.
For GraphQL users, this is particularly relevant. GraphQL queries have always been sent as POST requests for exactly this reason — the query body was too complex for URL parameters. QUERY is semantically the right method for GraphQL queries, and some in the GraphQL community are already discussing adoption.
For REST designers, it opens up cleaner resource design. A GET /users/123 retrieves a specific user.Yet QUERY /users with a body finds users matching complex criteria. The intent is unmistakable.
My take: the most immediate practical impact will be on internal APIs and microservices where you control both client and server. You can adopt QUERY right now in those environments without waiting for broad ecosystem support.
A Few Things to Watch
Some open questions remain as adoption grows. Browsers don't natively support QUERY in HTML forms, which only know GET and POST. CORS preflight behavior matters too — browsers send preflight OPTIONS requests for non-standard methods, so servers need to explicitly allow QUERY in their CORS headers. And CDN support timelines vary widely. Cloudflare, AWS CloudFront, and others will need updates to correctly cache QUERY responses based on request bodies.
None of these are blockers. Growing pains that come with any new standard. The spec is solid, the semantics are clear, and implementation will follow.
Wrapping Up
The HTTP QUERY method isn't revolutionary in concept — developers have been wanting exactly this for over a decade. What RFC 10008 gives us is official, standardized language for something we've been doing informally and incorrectly with POST for years.
The path forward is straightforward: add QUERY support to your servers now, use the 405 fallback pattern on clients, and update your API documentation to reflect the correct semantics. As ecosystem support grows, the caching and semantic benefits will compound.
If you're curious about how AI tools are changing the way we design and test APIs, check out our post on NeuroAPI and MCP tools for AI-assisted development. And if you want to read the spec yourself, the official RFC 10008 on the IETF datatracker is surprisingly readable for an RFC.
HTTP just got a little more honest. About time.
Sources
- RFC 10008 – The HTTP QUERY Method — IETF Datatracker. Https.//datatracker.ietf.org/doc/rfc10008/
- RFC Editor – RFC 10008 Info Page. Https.//www.rfc-editor.org/info/rfc10008/
- HTTP QUERY and Go — kmcd.dev. Https.//kmcd.dev/posts/http-query/
- The New HTTP QUERY Method – and How to Use It Today in .NET — vensas.de. Https.//vensas.de/en/blog/http-query-method-dotnet-10
- Introducing QUERY HTTP Method for Complex Data Searches — LinkedIn/Umaabu. Https.//www.linkedin.com/posts/umaabu_http-is-getting-a-new-method-called-query-activity-7478496004644700160-2zN9
- The new HTTP QUERY method explained — Hacker News discussion. Https.//news.ycombinator.com/item?id=48640974
- New HTTP method "query" — Reddit r/Backend. Https.//www.reddit.com/r/Backend/comments/1um6fbo/new_http_method_query/
- RFC 10008 is official. The HTTP QUERY method is here — Reddit r/webdev: https://www.reddit.com/r/webdev/comments/1ummfyr/rfc_10008_is_official_the_http_query_method_is/