I recently had to make an endpoint for a deletion of a resource, for this I wanted to use the HTTP Verb DELETE. However I had recently consumed an endpoint where the delete request had a body, meaning the key for the resource I was to delete was within the body and not the URL path. This made me wonder what the best practice was around delete requests.
According to Mozilla a DELETE request "may" have a body, compared to a PUT, which should have a body. By this it seems optional whether you want to provide a body for a DELETE request. The RFC states that:
A payload within a DELETE request message has no defined semantics; sending a payload body on a DELETE request might cause some existing implementations to reject the request.
Again, this states that there can be a body (payload), however it also states that it has no defined semantics, so this part of the specification is left open. The verdict must be that we can provide a body, but is this a good idea?
Many answers and comments in this stackoverflow.com question describes bizarre behavior when providing a body for a HTTP DELETE request:
- User Karmic Coder reports that a lot of clients used to send HTTP requests are unable to send a DELETE with a body, here he mentions Android.
- User Ashish reports that Tomcat, Weblogic denies Delete requests that has a payload
- User CleverPatrick reports that OpenAPI specification for version 3.0 dropped support for DELETE methods with a body.
- User Ben Fried reports that Google cloud HTTPS load balancer will reject delete requests that carries a payload with a 400 status code.
- User Parker reports that Sahi Pro strips any provided body data for delete requests.
- User evan.leonard reports that Some versions of Tomcat and Jetty seem to ignore an entity body
From the above I would not encourage you to implement a DELETE endpoint which uses a body. It seems not all clients are able to provide one and not all loadbalancers, APIs and webservers handle it like you may expect. Whether this is due to the developers not believing this is good practice or interpreting the specification differently, we do not know. But there seems to be a difference of opinion on this subject.
Due to the above I decided not to use a body for my DELETE request, this seemed like the safest choice.
I hope you found this post helpful, if you believe I made the right or wrong choice, please let me know in the comments down below :)