What does safe mean for an HTTP method?

A safe method is read-only by contract — it must not change server state. GET, HEAD, OPTIONS and TRACE are safe. Safety lets caches, crawlers and prefetchers issue the request freely without side effects.

What is idempotency and why does it matter?

An idempotent method produces the same server state whether it is called once or many times. GET, PUT and DELETE are idempotent; POST and PATCH generally are not. Idempotency lets clients and proxies safely retry a request after a timeout.

Is PUT or PATCH idempotent?

PUT is idempotent because it replaces the resource with the same representation every time. PATCH is not required to be idempotent because it applies a partial change that can compound, though a PATCH can be designed to be idempotent.

Which methods are cacheable?

GET and HEAD are cacheable by default. POST responses are cacheable only when they include explicit freshness headers like Cache-Control or Expires. PUT, DELETE, PATCH, OPTIONS, TRACE and CONNECT are not cacheable.

Why is POST not idempotent?

POST typically creates a new resource or triggers a non-repeatable action, so sending it twice can create two records or run an action twice. Use an idempotency key header if you need safe retries on a POST endpoint.

HTTP Method Properties Matrix

Email me this result

Get this tool's output sent to your inbox, plus one useful tool a week. No spam, unsubscribe any time.

Know each verb’s contract before you wire it up

Every HTTP method carries a semantic contract: whether it is safe (read-only), idempotent (repeatable without extra effect), cacheable, and whether it has a request body. Getting these right decides whether clients may retry, whether proxies may prefetch, and whether responses can be cached. This matrix lists all standard methods with each property and a searchable lookup.

How it works

The properties are defined by the HTTP specification, not by your framework:

GET    safe  idempotent  cacheable
POST   —     —           only with explicit freshness
PUT    —     idempotent  —
PATCH  —     —           —
DELETE —     idempotent  —

Safe ⇒ the method must not modify resources. Implies it is also idempotent.
Idempotent ⇒ N identical requests leave the server in the same state as one.
Cacheable ⇒ the response may be stored and reused per cache directives.

A retry after a network timeout is safe only for idempotent methods; otherwise use an idempotency key so the server can de-duplicate.

Tips and notes

All safe methods are idempotent, but not all idempotent methods are safe.
PUT replaces the whole resource; PATCH applies a partial, possibly non-idempotent change.
Make POST retry-safe with an Idempotency-Key header de-duplicated on the server.
OPTIONS powers CORS preflight; HEAD returns headers only with no body.
TRACE and CONNECT are rarely used and often disabled for security.