HTTP GET requests should not modify server state. The GET is usually used to retrieve or search resources. For example, to get all the insurance contracts that belong to one specific customer:

– GET /customer/{customerId}/contracts/

To retrieve a specific contract that belongs to one customer:

– GET /customers/{customerId}/contracts/{policyId}

But what options do we have if the parameters sent in the URL are considered sensitive information or if the length of the URL is very large? The HTTP standard doesn’t specify the maximum length of a URL, but most HTTP clients and servers have a limit of 2048 characters.

The possible options are:

– Use POST instead of GET and send the retrieve parameters in the body of the request. Even if this goes against the fact that a POST is used to create a resource (which is not the case with the retrieve queries) this is approach is used in several implementations

– Keep using GET verb but send the query parameters in the body instead of sending them in the URI.

But here we need to clarify a confusion about if the body is permitted or not. In the previous HTTP specification (RFC 2616), it is implicitly mentioned that the body is not supported with the GET but in the latest version (RFC 7230), the specification is more permissive and doesn’t prevent sending a body in any type of HTTP request.

So, if you want your API to support GET with a body to retrieve long URL or to send sensitive data, your need to clearly document it in your API and be consistent for all the APIs in your company to follow the same approach.

As an example, Elasticsearch is sending a body in GET request:  

About the Author

My name is Adel Ghlamallah and I’m an architect and a java developer.

View Articles