In short: There is nothing in the specifications that prohibits the use of a body for a HTTP Delete request. However for some clients this may not be implemented and some servers may ignore it or work incorrectly.
I recently had to make an endpoint for a deletion of a resource, for this I wanted to use the HTTP Verb DELETE. However I had recently consumed an endpoint where the delete request had a body, meaning the key for the resource I was to delete was within the body and not the URL path or a parameter. This made me wonder what the best practice was around delete requests.
According to Mozilla a DELETE request "may" have a body, compared to a PUT, which should have a body. By this it seems optional whether you want to provide a body for a DELETE request. The RFC states that:
A payload within a DELETE request message has no defined semantics; sending a payload body on a DELETE request might cause some existing implementations to reject the request.
Again, this states that there can be a body (payload), however it also states that it has no defined semantics, so this part of the specification is left open. The verdict must be that we can provide a body, but is this a good idea?
Several answers and comments in this stackoverflow.com question describes bizarre behaviour when providing a body for a HTTP DELETE request:
- User Karmic Coder reports that a lot of clients used to send HTTP requests are unable to send a DELETE with a body, here he mentions Android.
- User Ashish reports that Tomcat, Weblogic denies Delete requests that has a payload
- User CleverPatrick reports that OpenAPI specification for version 3.0 dropped support for DELETE methods with a body.
- User Ben Fried reports that Google cloud HTTPS load balancer will reject delete requests that carry a payload with a 400 status code.
- User Parker reports that Sahi Pro strips any provided body data for delete requests.
- User evan.leonard reports that Some versions of Tomcat and Jetty seem to ignore an entity body
With the above you should be discouraged from implementing a DELETE endpoint which uses a body. It seems not all clients are able to provide one and not all load balancers, APIs and web servers handle it like you may expect them to. Whether this is due to the developers not believing this is good practice or interpreting the specification differently, we cannot tell. But there seems to be a difference of opinion on this matter and a broader support for using URL parameters or a path.
Due to the above I decided not to use a body for my DELETE request, this seemed like the safest choice.
That is all
I hope you found this post helpful, if you believe I made the right or wrong choice, please let me know in the comments down below :)