Use HTTP method 'OPTIONS' for custom usage?

Question

I am working on a RESTful api. Now I categorize requests into get, modify and action.

get uses GET
modify uses POST, PUT, PATCH, DELETE
action uses OPTIONS

An example for action is OPTIONS /dogs/:id/feed, this will result in dog status changing flowing the logic defined in server scripts.

So, will there be any problems if I use OPTIONS for this usage?

Why do you want to create a RESTful API if you are going to do your own thing? The point of following a standard is to make integration easy. — vtortola, Apr 04 '17 at 11:02

score 4 · Answer 1 · answered Mar 31 '17 at 05:16

4

There might be problems, because you're abusing OPTIONS. Read Section 4.2.1 of RFC 7231 (https://greenbytes.de/tech/webdav/rfc7231.html#rfc.section.4.2.1):

Request methods are considered "safe" if their defined semantics are essentially read-only; i.e., the client does not request, and does not expect, any state change on the origin server as a result of applying a safe method to a target resource. Likewise, reasonable use of a safe method is not expected to cause any harm, loss of property, or unusual burden on the origin server.

...

Of the request methods defined by this specification, the GET, HEAD, OPTIONS, and TRACE methods are defined to be safe.

answered Mar 31 '17 at 05:16

Julian Reschke

40,156
8
95
98

What if I have a well-defined agreement with my client? – bijiDango Mar 31 '17 at 07:30
You'd still be violating the HTTP spec. – Julian Reschke Mar 31 '17 at 08:38
I don't care if I violate something as long as it does no harm : ) – bijiDango Mar 31 '17 at 09:30
Well, it might fail in unexpected ways. – Julian Reschke Mar 31 '17 at 10:22
Yeah, that is what I want to find out here : ( – bijiDango Mar 31 '17 at 12:22
@bijiDango I think it's a good idea to take the advice of the guy who wrote the HTTP spec when asking a question about the HTTP spec. For example, any intermediate server may decide "hey, that OPTIONS request is taking too long, I'll just resend it". Now you've got duplicate unsafe requests going to your server, but only sometimes, and your client is only sending one. That's some good debugging fun right there. – Eric Stein Mar 31 '17 at 12:46
and your only fix is a breaking API change to use an unsafe method anyway. – Eric Stein Mar 31 '17 at 12:53

score 1 · Answer 2 · answered Apr 04 '17 at 10:53

An example for action is OPTIONS /dogs/:id/feed, this will result in dog status changing flowing the logic defined in server scripts.

Why don't you use POST in this case? Actions are just a model for something you create/update, so you can use POST (or PUT in the case you know where to put the resource).

In this case, I would do the something like:

POST /dogs/:id/bowls
Content-Type: application/json
{
    "bowlContent" : <food description>
}

This will create a bowl with the food inside (the meaning of feed in fact).

OPTIONS is often used to query how you can use a particular resource (meaning what are my options? See http://zacstewart.com/2012/04/14/http-options-method.html), or as preflight requests in cross-domain Ajax calls (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS). You should not use it for any other purpose.

Use HTTP method 'OPTIONS' for custom usage?

2 Answers2