RFC 10008: HTTP QUERY Method — First New HTTP Method Since 2010

HTTP's first new method since 2010 arrived June 15, 2026 — RFC 10008's QUERY: safe like GET, body-carrying like POST.

Read time
13 min
Word count
2K
Sections
14
FAQs
8
Share
HTTP QUERY method (RFC 10008): a QUERY /search request with a JSON body, compared against GET and POST in a table.
On this page · 14 sections
  1. What actually happened: RFC 10008, in plain terms
  2. The problem QUERY was built to solve
  3. GET vs POST vs QUERY — the real difference
  4. Who wrote it — and why that matters
  5. 16 years in the making: why HTTP moves this slowly
  6. Where QUERY already works today
  7. Where it does not work yet
  8. The security angle almost nobody's covering
  9. Should your team adopt it now? A practical rollout path
  10. What this means for global API design
  11. Frequently asked questions
  12. How eCorpIT can help
  13. A short closing note
  14. References

Summary. On 15 June 2026, the RFC Editor published RFC 10008 — "The HTTP QUERY Method", a 24-page Proposed Standard on the IETF Standards Track. It defines a new HTTP method called QUERY that behaves like GET (safe, idempotent, cacheable) but carries a full request body like POST. QUERY is the first genuinely new HTTP method since PATCH landed as RFC 5789 in March 2010 — a 16-year gap. The RFC is authored by Julian Reschke (greenbytes), James M. Snell (Cloudflare) and Mike Bishop (Akamai). Node.js has parsed QUERY natively since early 2024; OpenAPI 3.2 documents it; Spring is close but has not shipped support as of July 2026; browsers are still evaluating. This article covers what RFC 10008 actually says, why the gap between GET and POST existed for so long, the security and infrastructure implications most coverage is missing, and a practical rollout path for any team running APIs behind a WAF, CDN, or cache today.

Somewhere in almost every API on the planet, there is an endpoint called POST /search. It works. It's also a small, quiet lie — HTTP's own semantics say POST means "this changes something," and a search does not change anything at all. In June 2026, after eleven years of drafts, the Internet Engineering Task Force finally closed that gap.

What actually happened: RFC 10008, in plain terms

On 15 June 2026, the RFC Editor published RFC 10008, titled simply "The HTTP QUERY Method." The specification is short — 24 pages — and its abstract states plainly what QUERY does: it processes the content sent with the request in a safe and idempotent way and returns the result, behaving like POST in form but with the reliability guarantees of GET.

It is worth being precise about the document's status, because "RFC" alone does not tell you much. RFC 10008 is a Proposed Standard on the IETF Standards Track, meaning it went through public review and was formally approved by the Internet Engineering Steering Group before publication — the same process that produced HTTP/1.1, HTTP/2 and HTTP/3 themselves. This is not a blog-post proposal or a vendor's private extension. It is as official as HTTP specifications get.

The problem QUERY was built to solve

Every backend developer has hit the same wall eventually. A search feature starts simple — GET /products?category=laptops&brand=example — and then grows: multiple filter groups, AND/OR logic, date ranges, multi-field sorting, pagination, geographic bounds, dynamically chosen fields. At some point the query string stops being able to hold it, and the team faces two bad options.

Stick with GET and the request has nowhere reliable to put that complexity. Query strings have no formally guaranteed size limit — practical guidance from the HTTP specifications and CDN operators treats 8,000 octets as a safe floor — and structured data like nested filters or arbitrary JSON is awkward and error-prone to squeeze into a URL-safe string in the first place.

Switch to POST for the search instead and the technical problem disappears, but a semantic one appears. Nothing in the protocol tells a cache, a proxy, or a client library that this particular POST is actually safe to retry or store. Every intermediary has to assume it might change something on the server, because that is what POST is defined to mean.

GET vs POST vs QUERY — the real difference

The cleanest way to see what changed is to line the three methods up against the properties that actually matter for how the web treats a request.

Property GET POST QUERY
Safe (no server state change) Yes No Yes
Idempotent Yes No Yes
Cacheable by default Yes No Yes (body must be included in cache key)
Carries a request body No Yes Yes
CORS preflight required in browsers No (safelisted) Depends on content type Yes (not safelisted as of July 2026)
Standard since HTTP/0.9 (1991) HTTP/1.0 (1996) RFC 10008 (June 2026)
Underlying RFC RFC 9110 RFC 9110 RFC 10008

That single design choice — safe and idempotent semantics, but with a request body — is why RFC 10008 describes QUERY as closing a gap that has existed for the entire modern life of HTTP APIs, rather than adding a nice-to-have. It is not a stylistic alternative to POST /search. It is a request that intermediaries are now permitted to treat the way they already treat GET.

Who wrote it — and why that matters

RFC 10008 carries three author names: Julian Reschke of greenbytes, James M. Snell of Cloudflare, and Mike Bishop of Akamai. That author list is a useful signal in itself — Cloudflare and Akamai between them sit in front of a large share of the web's traffic, which means the organisations most exposed to how caching, CDNs and edge infrastructure actually behave in practice were directly involved in shaping the spec, rather than reacting to it after the fact.

16 years in the making: why HTTP moves this slowly

The idea behind QUERY is not new. Its underlying draft traces back roughly eleven years, moved through a final draft in November 2025, IESG approval on 20 November 2025, and publication as RFC 10008 in mid-June 2026. The gap since the last new HTTP method — PATCH, published as RFC 5789 in March 2010 — is 16 years. That pace is not a sign of neglect. It is how core internet protocols are supposed to move. HTTP underpins essentially the entire web; a change here has to be reviewed against decades of existing servers, proxies, browsers and security assumptions before it becomes a standard, which is precisely why a genuinely new method is rare enough to be real news rather than routine software churn.

Where QUERY already works today

At the protocol level, QUERY needs nothing special to travel over the wire — any existing HTTP/1.1 or HTTP/2 connection can carry it today, since HTTP has never restricted itself to a fixed list of method names.

Runtime and framework support is uneven but moving. Node.js has been able to parse QUERY requests natively since early 2024, well ahead of the RFC's publication. OpenAPI 3.2 already has the vocabulary to document QUERY endpoints formally. And the method maps naturally onto GraphQL query operations (as distinct from mutations), since GraphQL queries are already safe and idempotent but routinely exceed what is comfortable to encode as GET parameters.

Where it does not work yet

The honest gaps matter as much as the wins.

Environment Status as of July 2026
Node.js Native QUERY parsing since early 2024
OpenAPI 3.2 spec supports QUERY documentation
GraphQL Natural fit for query operations (server side)
Spring (Java) Pull request open; RequestMethod enum does not yet include QUERY
Ruby on Rails Discussion stage only
Browsers (Chrome, Firefox, Safari) Evaluating implementation; not shipped for fetch() yet
Common WAFs and CDNs Method allowlists typically do not include QUERY out of the box

In the Java ecosystem, Spring's path is a useful case study: an issue requesting QUERY support sat open for roughly two years before being superseded by a pull request marked ready for review the same week the RFC was published — but as of early July 2026, Spring's RequestMethod enum still does not include QUERY, so Spring applications cannot route it yet. Rails is at the discussion stage. Browsers are, as of this writing, evaluating implementation rather than shipping it, so relying on QUERY for public-facing web application traffic today is premature without careful fallback handling.

There is also a browser-specific wrinkle worth flagging on its own: QUERY is not one of the CORS-safelisted methods, so any browser JavaScript calling it cross-origin will trigger a preflight request, the same as a custom method would.

The security angle almost nobody's covering

New HTTP methods do not just need new application code. They need every piece of infrastructure that makes decisions based on method names to be updated deliberately, and that list is longer than it looks. Web application firewalls, API gateways, CDNs and load balancers commonly enforce policy in terms of a fixed set of methods — typically GET, POST, PUT, DELETE and PATCH — and rule sets written before June 2026 simply do not know what to do with QUERY. Some will reject it outright, others may route or inspect it differently than they would a POST to the same path, silently creating inconsistent behaviour across layers.

Caching introduces a sharper risk. Because QUERY is explicitly cacheable, any cache sitting in front of it must include the request body in its cache key — and a cache that hashes or normalises that body incorrectly opens the door to cache poisoning or cache deception, where one user's cached response gets served to another user's differently-intentioned request.

CSRF protections deserve the same scrutiny. Middleware built around an assumed method list may not treat QUERY the way it should. Teams running WAFs or CSRF libraries should treat "does our policy mention QUERY on purpose, not by accident" as a concrete review item rather than an afterthought.

For deeper context on how these architecture decisions interact with API modernisation and cost engineering, see eCorpIT's coverage of application modernization from monolith to microservices.

Should your team adopt it now? A practical rollout path

The realistic answer is: not as a replacement, not yet — but it is worth adding alongside what you already have. A sane migration path is to keep the existing POST /search-style endpoint live, add a QUERY endpoint next to it, advertise support through the Accept-Query header, and let clients migrate as their own tooling catches up, rather than forcing a hard cutover that breaks anything still expecting POST.

Before adopting QUERY anywhere client-facing, a short checklist earns its keep:

  • Framework: confirm your web framework can route QUERY (check the specific version, not just the framework name)
  • Edge infrastructure: confirm your WAF, API gateway and CDN either understand it or are configured to pass it through deliberately
  • Cache layer: confirm the cache builds cache keys from the full request body, not just the URL
  • CSRF protection: confirm any CSRF middleware has been extended to cover QUERY explicitly
  • Client tooling: confirm SDKs and HTTP libraries used by your consumers support QUERY, or plan the POST-fallback path

What this means for global API design

The significance here is not confined to one language, one framework, or one region's developer community. It is a change to the shared vocabulary every API on the internet is built on top of, regardless of what is running behind it. A payments platform in Singapore, a government open-data portal in Germany, and a startup's mobile backend in Brazil are all, today, choosing between the same imperfect GET-or-POST trade-off for their complex read endpoints. RFC 10008 gives all of them, simultaneously, a third option that did not exist before — which is precisely why an unglamorous 24-page protocol document is worth global attention in a way that most framework releases are not. Frameworks change constantly; the vocabulary underneath the entire web changes perhaps once every decade or so.

Frequently asked questions

How eCorpIT can help

eCorpIT builds and modernises production APIs for clients across India, the United States and the United Kingdom — including REST-to-QUERY migration reviews, edge-infrastructure audits, CDN and WAF policy updates, and end-to-end API architecture design that anticipates the RFC 10008 rollout window.

If your team is planning API changes that touch search, filtering or complex read endpoints, our engineering team can help. Reach us at ecorpit.com/contact-us/ or contact@ecorpit.com.

A short closing note

HTTP added PATCH in 2010 (RFC 5789) and QUERY in 2026 (RFC 10008) — new methods arrive once every decade and a half or so, not every year. That rhythm is the point: this is not a framework trend that will look dated in eighteen months. It is a small, permanent addition to the vocabulary every API on the internet shares. Worth understanding now, while adopting it is still optional rather than assumed.

References

  1. RFC Editor — RFC 10008 official record: rfc-editor.org/info/rfc10008
  1. IETF Datatracker — RFC 10008 full text: datatracker.ietf.org/doc/rfc10008
  1. IETF announcement mail — RFC 10008 on The HTTP QUERY Method: mailarchive.ietf.org
  1. RFC 5789 — PATCH Method for HTTP (March 2010, historical reference): rfc-editor.org/info/rfc5789
  1. RFC 9110 — HTTP Semantics: rfc-editor.org/info/rfc9110
  1. Ajitem — RFC 10008: HTTP Finally Gets a QUERY Method: ajitem.com
  1. Hive Security — RFC 10008 and the Attack Surface Still Catching Up: hivesecurity.gitlab.io
  1. Rabinarayan Patra — The Safe GET With a Body (RFC 10008): rabinarayanpatra.com
  1. Developers Digest — RFC 10008: The New HTTP QUERY Method Explained: developersdigest.tech
  1. eCorpIT — Application Modernization: Monolith to Microservices 2026: ecorpit.com

Last updated 6 July 2026 by the eCorpIT Editorial team. We will refresh this article as browser support for QUERY lands, as major frameworks (Spring, Rails) ship native routing, and as WAF and CDN vendors publish official QUERY-aware rulesets.

Frequently asked

Quick answers.

01 What is the HTTP QUERY method, in one sentence?
It is a new officially standardised HTTP method — RFC 10008, published 15 June 2026 — that behaves like GET (safe, idempotent, cacheable) but carries its query data in a request body like POST instead of the URL. QUERY sits on the IETF Standards Track, the same standing as HTTP/1.1 itself.
02 Is QUERY replacing POST or GET?
No. QUERY fills the specific gap between GET and POST — safe reads that need a request body — and is meant to sit alongside both, not replace either. Existing POST /search endpoints keep working. QUERY offers a semantically clean upgrade path where the ecosystem supports it, and teams can migrate gradually rather than all at once.
03 Can I use QUERY in production today?
For server-to-server APIs and Node.js backends, largely yes — the protocol allows it and Node.js has parsed QUERY natively since early 2024. For public browser-facing traffic, treat it as early-stage: browser support is still being evaluated as of mid-2026, and CORS preflight applies because QUERY is not on the safelisted method list.
04 Does my web framework support QUERY yet?
It depends and changes fast. As of mid-2026, Node.js supports it natively, OpenAPI 3.2 can document it, and Spring has an active pull request but no shipped support yet. Rails is at discussion stage. Check your specific framework version, not just the framework name — support is landing on a rolling basis through the second half of 2026.
05 Is QUERY safe to use behind my existing WAF or CDN?
Only if you have verified it explicitly. Method allowlists and cache-key logic written before June 2026 may not account for QUERY, which can mean silent rejection, inconsistent routing across layers, or — if caching keys skip the request body — cache poisoning risk. Audit before enabling in production, and document the decision either way.
06 Why did it take so long for HTTP to get a new method?
The underlying proposal is roughly eleven years old. Core protocol changes to HTTP have to be reviewed against decades of existing servers, browsers and security assumptions before standardisation, which is a deliberately slow process by design. The last new method, PATCH, was published as RFC 5789 in March 2010 — QUERY arrives 16 years later.
07 Is QUERY good for GraphQL?
Yes. GraphQL query operations (not mutations) are already safe and idempotent but often outgrow GET's URL-length limits, making QUERY a natural fit for exposing them as a proper HTTP method rather than routing everything through POST. Server-side GraphQL frameworks are early candidates for shipping QUERY support given the semantic alignment.
08 What should my team actually do this week?
Nothing urgent breaks by waiting, but it is worth one review pass. Check whether your framework, WAF, API gateway, cache layer and CSRF middleware treat QUERY deliberately or would silently mishandle it if a client — or an attacker — sent one today. Document the decision either way, then revisit when framework support lands.

About the author

Aman Mathur

Flutter Developer

Flutter developer with 3+ years building high-performance, AI-powered cross-platform mobile apps for global clients.

Subscribe

One engineering note a week. No fluff, no spam.

Senior-architect playbooks on AI agents, mobile apps, cloud, security, data, and marketing — delivered every Wednesday.

Past the reading

Read enough. Let's build something.

A senior architect responds in 24 working hours with scope, indicative cost, and a timeline. NDA before any technical conversation.