On this page · 14 sections
- What actually happened: RFC 10008, in plain terms
- The problem QUERY was built to solve
- GET vs POST vs QUERY — the real difference
- Who wrote it — and why that matters
- 16 years in the making: why HTTP moves this slowly
- Where QUERY already works today
- Where it does not work yet
- The security angle almost nobody's covering
- Should your team adopt it now? A practical rollout path
- What this means for global API design
- Frequently asked questions
- How eCorpIT can help
- A short closing note
- References
Summary. On 15 June 2026, the RFC Editor published RFC 10008 — "The HTTP QUERY Method", a 24-page Proposed Standard on the IETF Standards Track. It defines a new HTTP method called QUERY that behaves like GET (safe, idempotent, cacheable) but carries a full request body like POST. QUERY is the first genuinely new HTTP method since PATCH landed as RFC 5789 in March 2010 — a 16-year gap. The RFC is authored by Julian Reschke (greenbytes), James M. Snell (Cloudflare) and Mike Bishop (Akamai). Node.js has parsed QUERY natively since early 2024; OpenAPI 3.2 documents it; Spring is close but has not shipped support as of July 2026; browsers are still evaluating. This article covers what RFC 10008 actually says, why the gap between GET and POST existed for so long, the security and infrastructure implications most coverage is missing, and a practical rollout path for any team running APIs behind a WAF, CDN, or cache today.
Somewhere in almost every API on the planet, there is an endpoint called POST /search. It works. It's also a small, quiet lie — HTTP's own semantics say POST means "this changes something," and a search does not change anything at all. In June 2026, after eleven years of drafts, the Internet Engineering Task Force finally closed that gap.
What actually happened: RFC 10008, in plain terms
On 15 June 2026, the RFC Editor published RFC 10008, titled simply "The HTTP QUERY Method." The specification is short — 24 pages — and its abstract states plainly what QUERY does: it processes the content sent with the request in a safe and idempotent way and returns the result, behaving like POST in form but with the reliability guarantees of GET.
It is worth being precise about the document's status, because "RFC" alone does not tell you much. RFC 10008 is a Proposed Standard on the IETF Standards Track, meaning it went through public review and was formally approved by the Internet Engineering Steering Group before publication — the same process that produced HTTP/1.1, HTTP/2 and HTTP/3 themselves. This is not a blog-post proposal or a vendor's private extension. It is as official as HTTP specifications get.
The problem QUERY was built to solve
Every backend developer has hit the same wall eventually. A search feature starts simple — GET /products?category=laptops&brand=example — and then grows: multiple filter groups, AND/OR logic, date ranges, multi-field sorting, pagination, geographic bounds, dynamically chosen fields. At some point the query string stops being able to hold it, and the team faces two bad options.
Stick with GET and the request has nowhere reliable to put that complexity. Query strings have no formally guaranteed size limit — practical guidance from the HTTP specifications and CDN operators treats 8,000 octets as a safe floor — and structured data like nested filters or arbitrary JSON is awkward and error-prone to squeeze into a URL-safe string in the first place.
Switch to POST for the search instead and the technical problem disappears, but a semantic one appears. Nothing in the protocol tells a cache, a proxy, or a client library that this particular POST is actually safe to retry or store. Every intermediary has to assume it might change something on the server, because that is what POST is defined to mean.
GET vs POST vs QUERY — the real difference
The cleanest way to see what changed is to line the three methods up against the properties that actually matter for how the web treats a request.
| Property | GET | POST | QUERY |
|---|---|---|---|
| Safe (no server state change) | Yes | No | Yes |
| Idempotent | Yes | No | Yes |
| Cacheable by default | Yes | No | Yes (body must be included in cache key) |
| Carries a request body | No | Yes | Yes |
| CORS preflight required in browsers | No (safelisted) | Depends on content type | Yes (not safelisted as of July 2026) |
| Standard since | HTTP/0.9 (1991) | HTTP/1.0 (1996) | RFC 10008 (June 2026) |
| Underlying RFC | RFC 9110 | RFC 9110 | RFC 10008 |
That single design choice — safe and idempotent semantics, but with a request body — is why RFC 10008 describes QUERY as closing a gap that has existed for the entire modern life of HTTP APIs, rather than adding a nice-to-have. It is not a stylistic alternative to POST /search. It is a request that intermediaries are now permitted to treat the way they already treat GET.
Who wrote it — and why that matters
RFC 10008 carries three author names: Julian Reschke of greenbytes, James M. Snell of Cloudflare, and Mike Bishop of Akamai. That author list is a useful signal in itself — Cloudflare and Akamai between them sit in front of a large share of the web's traffic, which means the organisations most exposed to how caching, CDNs and edge infrastructure actually behave in practice were directly involved in shaping the spec, rather than reacting to it after the fact.
16 years in the making: why HTTP moves this slowly
The idea behind QUERY is not new. Its underlying draft traces back roughly eleven years, moved through a final draft in November 2025, IESG approval on 20 November 2025, and publication as RFC 10008 in mid-June 2026. The gap since the last new HTTP method — PATCH, published as RFC 5789 in March 2010 — is 16 years. That pace is not a sign of neglect. It is how core internet protocols are supposed to move. HTTP underpins essentially the entire web; a change here has to be reviewed against decades of existing servers, proxies, browsers and security assumptions before it becomes a standard, which is precisely why a genuinely new method is rare enough to be real news rather than routine software churn.
Where QUERY already works today
At the protocol level, QUERY needs nothing special to travel over the wire — any existing HTTP/1.1 or HTTP/2 connection can carry it today, since HTTP has never restricted itself to a fixed list of method names.
Runtime and framework support is uneven but moving. Node.js has been able to parse QUERY requests natively since early 2024, well ahead of the RFC's publication. OpenAPI 3.2 already has the vocabulary to document QUERY endpoints formally. And the method maps naturally onto GraphQL query operations (as distinct from mutations), since GraphQL queries are already safe and idempotent but routinely exceed what is comfortable to encode as GET parameters.
Where it does not work yet
The honest gaps matter as much as the wins.
| Environment | Status as of July 2026 |
|---|---|
| Node.js | Native QUERY parsing since early 2024 |
| OpenAPI | 3.2 spec supports QUERY documentation |
| GraphQL | Natural fit for query operations (server side) |
| Spring (Java) | Pull request open; RequestMethod enum does not yet include QUERY |
| Ruby on Rails | Discussion stage only |
| Browsers (Chrome, Firefox, Safari) | Evaluating implementation; not shipped for fetch() yet |
| Common WAFs and CDNs | Method allowlists typically do not include QUERY out of the box |
In the Java ecosystem, Spring's path is a useful case study: an issue requesting QUERY support sat open for roughly two years before being superseded by a pull request marked ready for review the same week the RFC was published — but as of early July 2026, Spring's RequestMethod enum still does not include QUERY, so Spring applications cannot route it yet. Rails is at the discussion stage. Browsers are, as of this writing, evaluating implementation rather than shipping it, so relying on QUERY for public-facing web application traffic today is premature without careful fallback handling.
There is also a browser-specific wrinkle worth flagging on its own: QUERY is not one of the CORS-safelisted methods, so any browser JavaScript calling it cross-origin will trigger a preflight request, the same as a custom method would.
The security angle almost nobody's covering
New HTTP methods do not just need new application code. They need every piece of infrastructure that makes decisions based on method names to be updated deliberately, and that list is longer than it looks. Web application firewalls, API gateways, CDNs and load balancers commonly enforce policy in terms of a fixed set of methods — typically GET, POST, PUT, DELETE and PATCH — and rule sets written before June 2026 simply do not know what to do with QUERY. Some will reject it outright, others may route or inspect it differently than they would a POST to the same path, silently creating inconsistent behaviour across layers.
Caching introduces a sharper risk. Because QUERY is explicitly cacheable, any cache sitting in front of it must include the request body in its cache key — and a cache that hashes or normalises that body incorrectly opens the door to cache poisoning or cache deception, where one user's cached response gets served to another user's differently-intentioned request.
CSRF protections deserve the same scrutiny. Middleware built around an assumed method list may not treat QUERY the way it should. Teams running WAFs or CSRF libraries should treat "does our policy mention QUERY on purpose, not by accident" as a concrete review item rather than an afterthought.
For deeper context on how these architecture decisions interact with API modernisation and cost engineering, see eCorpIT's coverage of application modernization from monolith to microservices.
Should your team adopt it now? A practical rollout path
The realistic answer is: not as a replacement, not yet — but it is worth adding alongside what you already have. A sane migration path is to keep the existing POST /search-style endpoint live, add a QUERY endpoint next to it, advertise support through the Accept-Query header, and let clients migrate as their own tooling catches up, rather than forcing a hard cutover that breaks anything still expecting POST.
Before adopting QUERY anywhere client-facing, a short checklist earns its keep:
- Framework: confirm your web framework can route QUERY (check the specific version, not just the framework name)
- Edge infrastructure: confirm your WAF, API gateway and CDN either understand it or are configured to pass it through deliberately
- Cache layer: confirm the cache builds cache keys from the full request body, not just the URL
- CSRF protection: confirm any CSRF middleware has been extended to cover QUERY explicitly
- Client tooling: confirm SDKs and HTTP libraries used by your consumers support QUERY, or plan the POST-fallback path
What this means for global API design
The significance here is not confined to one language, one framework, or one region's developer community. It is a change to the shared vocabulary every API on the internet is built on top of, regardless of what is running behind it. A payments platform in Singapore, a government open-data portal in Germany, and a startup's mobile backend in Brazil are all, today, choosing between the same imperfect GET-or-POST trade-off for their complex read endpoints. RFC 10008 gives all of them, simultaneously, a third option that did not exist before — which is precisely why an unglamorous 24-page protocol document is worth global attention in a way that most framework releases are not. Frameworks change constantly; the vocabulary underneath the entire web changes perhaps once every decade or so.
Frequently asked questions
How eCorpIT can help
eCorpIT builds and modernises production APIs for clients across India, the United States and the United Kingdom — including REST-to-QUERY migration reviews, edge-infrastructure audits, CDN and WAF policy updates, and end-to-end API architecture design that anticipates the RFC 10008 rollout window.
If your team is planning API changes that touch search, filtering or complex read endpoints, our engineering team can help. Reach us at ecorpit.com/contact-us/ or contact@ecorpit.com.
A short closing note
HTTP added PATCH in 2010 (RFC 5789) and QUERY in 2026 (RFC 10008) — new methods arrive once every decade and a half or so, not every year. That rhythm is the point: this is not a framework trend that will look dated in eighteen months. It is a small, permanent addition to the vocabulary every API on the internet shares. Worth understanding now, while adopting it is still optional rather than assumed.
References
- RFC Editor — RFC 10008 official record: rfc-editor.org/info/rfc10008
- IETF Datatracker — RFC 10008 full text: datatracker.ietf.org/doc/rfc10008
- IETF announcement mail — RFC 10008 on The HTTP QUERY Method: mailarchive.ietf.org
- RFC 5789 — PATCH Method for HTTP (March 2010, historical reference): rfc-editor.org/info/rfc5789
- RFC 9110 — HTTP Semantics: rfc-editor.org/info/rfc9110
- Ajitem — RFC 10008: HTTP Finally Gets a QUERY Method: ajitem.com
- Hive Security — RFC 10008 and the Attack Surface Still Catching Up: hivesecurity.gitlab.io
- Rabinarayan Patra — The Safe GET With a Body (RFC 10008): rabinarayanpatra.com
- Developers Digest — RFC 10008: The New HTTP QUERY Method Explained: developersdigest.tech
- eCorpIT — Application Modernization: Monolith to Microservices 2026: ecorpit.com
Last updated 6 July 2026 by the eCorpIT Editorial team. We will refresh this article as browser support for QUERY lands, as major frameworks (Spring, Rails) ship native routing, and as WAF and CDN vendors publish official QUERY-aware rulesets.