HTTP Finally Has a QUERY Method — Here's What RFC 10008 Actually Changes
A new IETF standard gives HTTP a safe, idempotent, cacheable method for complex queries — something GET and POST have never cleanly covered. Here's what it fixes and when to actually use it.
Hanuman Singh
Founder & Lead Engineer · Hanuman Software Services
The gap that's existed since HTTP/1.1
Every backend engineer has hit the same wall: you need to run a complex, filtered, multi-field search, but GET encodes everything in the URI. Once your query has ten optional filters, a full-text match, and a sort order, you're either hitting URI length limits, dealing with painful encoding, or leaking sensitive filter values into server logs and browser history. So teams reach for POST instead — and lose the one thing that made GET useful in the first place: an explicit guarantee that the request is safe and can be retried without side effects.
In June 2026, the IETF published RFC 10008, defining a new HTTP method that closes exactly this gap: QUERY.
What QUERY actually is
Per the spec, QUERY "requests that the request target process the enclosed content in a safe and idempotent manner and then respond with the result." In practice, it's the missing middle ground:
| Property | GET | QUERY | POST |
|---|---|---|---|
| Safe (no state change) | Yes | Yes | Not guaranteed |
| Idempotent | Yes | Yes | Not guaranteed |
| Request body expected | No | Yes | Yes |
| Cacheable | Yes | Yes | Limited |
QUERY gets the request-body flexibility of POST — no more cramming filters into a URI — while keeping GET's contract: a client, proxy, or load balancer can safely retry a QUERY request without worrying it double-charged a customer or created a duplicate record, and can cache the response.
What a QUERY request actually looks like
Straight from the RFC's own example:
QUERY /contacts HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: application/json
select=surname,givenname,email&limit=10&match="email=*@example.*"
The server can respond with the results directly, or point at a stored, addressable version of the query for later reuse:
HTTP/1.1 200 OK
Content-Type: application/json
Location: /contacts/stored-queries/42
[{"surname": "Smith", "givenname": "John", "email": "smith@example.org"}, ...]
A few details worth knowing before you reach for it:
- Content-Type is mandatory. The spec is explicit: "Servers MUST fail the request if the Content-Type request field is missing or is inconsistent with the request content." No silent fallback to guessing the body format.
- Servers advertise supported formats via
Accept-Query. A new response header, structured as a list of media type ranges, tells clients what query formats a given endpoint actually understands — useful for API discovery without out-of-band documentation. - Caching is real, not just theoretical. Cache keys incorporate both the request content and metadata, and the spec explicitly permits semantic normalization (stripping encoding differences, normalizing per media-type conventions) for better cache hit rates — clients can opt out with
no-transformif that normalization would change meaning for their format. - 303 See Other is a defined response. For queries expensive enough to warrant storing the result, a server can redirect to a stored resource instead of re-running the computation on every retry.
Where this would have actually helped us
Our own booking system's Cloud Functions are a small, honest example of the exact problem QUERY solves. The availableDates and slots endpoints run a filtered Firestore query — date range, timezone, already-booked slot exclusion — that's unambiguously safe and idempotent: calling it twice never changes anything, and the result is cacheable. We implemented both as Firebase onCall functions specifically to get that request-body flexibility without giving up a strict, typed contract — which is effectively what QUERY standardizes at the HTTP layer instead of a platform-specific RPC layer. If your stack is plain REST rather than an RPC framework, QUERY is the standard way to get the same thing.
Should you actually adopt it now?
Realistically, not yet in most production systems — and that's fine. A few honest constraints:
- Client and proxy support is early. RFC 10008 is a June 2026 standard. Browsers, HTTP client libraries, CDNs, and API gateways need time to add first-class QUERY support — check your specific stack (load balancers, WAFs, API gateway) before relying on it in front of production traffic.
- It's additive, not a GET/POST replacement. Simple lookups by ID stay on GET. State-changing operations stay on POST/PUT/PATCH/DELETE. QUERY specifically targets the "complex read that doesn't fit in a URI" case — a real gap, but a narrow one.
- It's the right primitive for new API design today. If you're designing a new search or filter endpoint now, understanding QUERY's semantics — safe, idempotent, cacheable, body-based — is worth building toward even if you ship it as a well-documented POST today and formally adopt QUERY once your infrastructure supports it.
Designing an API that needs this?
We design and build backend APIs — REST, RPC, and everything in between — for founders who need the contract to be right the first time. Tell us what you're building and we'll tell you honestly whether you need this or a well-designed POST endpoint is good enough for now.