Who Cares about GET vs. POST? NoREST

What a strange article. A browser does care if it is a GET or a PUT. The behaviour is different and IIRC defined in an RFC. The article limits itself about APIs, but some of the statements that are made are not correct. I guess a case of saying something wrong to trigger someone to educate you?

The point of REST is to reduce barrier to entry for using your API.<p>There is a specification for web requests which works rather well, is relatively applicable for any resource oriented service, and has well defined semantic conventions&#x2F;specifications for failures, operations on resources, and responses to operations. It&#x27;s an incredibly well known &amp; understood specification. Any things you wonder have almost certainly been asked a thousand times before, and a single Google search will invariably land you on Stack Overflow with a productive discussion about what the best approach is.<p>Why not make use of this? You lose nothing by generally following the standard (since you can deviate from them whenever you need), but you gain so much - both from the perspective of building your API, and from the perspective of a potential person using your API.<p>---<p>Also two things specifically came to mind to mention:<p>&gt; Who Cares about GET vs. POST?<p>There are very practical implications from the use of GET&#x2F;POST. Any GET request you support can be called from any website without any knowledge from the user. For example:<p><pre><code> &lt;img style=&quot;display:none&quot; src=&quot;https:&#x2F;&#x2F;example.com&#x2F;user&#x2F;setPassword?password=foobar&quot; &#x2F;&gt; </code></pre> By using a POST, along with standard cross origin protections, it is much more difficult for a malicious website to have any impact on your user. (Although CSRF checking should be done anyway)<p>&quot;Well then, I&#x27;ll just use POST for everything&quot;, you might say. There are a great number of downsides for that also: preventing caching, not allowing cross-origin communication without CORS, clients not being sure about idempotency, etc.<p>---<p>&gt; &quot;If we put the function name between the parameters themselves&quot;<p>I found this interesting, because there is a language which does this - Objective C.<p>These are fairly equivalent:<p><pre><code> GET &#x2F;customer&#x2F;getOrder?customerID=33245&amp;orderID=8769 customerGetOrder(33245, 8769) </code></pre> And these are equivalent, but oriented the &#x27;RESTful&#x27; way:<p><pre><code> GET &#x2F;customer&#x2F;33245&#x2F;order&#x2F;8769 [self getOrder:8769 forCustomer:33245]; Customer.find(33245).orders.find(8769); </code></pre> Personally I think the latter examples work much better in a resource oriented service. They show logical structure, relationship between objects, etc.

The problem is that with the REST standard there are a lot of edge cases that are not commonly used. REST advocates cannot claim that no one is using REST &quot;properly&quot; and at the same time say that REST should be used because it is so common. Take the Dropbox debate, one prominent post featured on HN said that they should use a PATCH request type, which is very rarely used (outside I think certain version control systems). I imagine plenty of developers who want to use Dropbox&#x27;s API have not heard of a PATCH request type.<p>So yes informal sloppy REST is commonly used and there is some virtue in that, but as any REST advocate will attest to, sloppy informal REST has its drawbacks, as Dropbox found out. Moving to a more formal REST architecture may solve those problems, but you lose the &quot;commonly-used&quot; virtue.<p>Add to that the problem that when you have application logic that is not REST-like, forcing it into REST can require a convoluted middle-layer. Avoiding that complication is worth well more than &quot;commonly-used&quot;<p>I like REST in general, and I even think formal REST with its many HTTP verbs and HTTP headers has a formal elegance. But there are plenty of reasons to go in a different direction, if your application logic favors a different way.

What I take from the article is that we try to push things into where they don&#x27;t really fit. I like the modern URLs we are building now, that they are easy to understand to humans. The problem is not wether we should use GET or POST, the problem is when we try to use PUT and other verbs for things they are not ment to do. If you want a system to perform an action, it&#x27;s not GET or POST, but it&#x27;s not PUT either. You can&#x27;t use the old HTTP error codes for application errors such as &quot;flight is overbooked.&quot;

Hm this was the predominant way things were done about 10 years ago, and I think many people decided it ended up being harder to read.<p>Take this to its logical conclusion, and you end up with &quot;<a href="http://mywebsite/getUserProfileFirstAddress&quot;" rel="nofollow">http:&#x2F;&#x2F;mywebsite&#x2F;getUserProfileFirstAddress&quot;</a> when you want an endpoint that just returns the first address (or you end up with lots of stuff in a query string that ends up becoming a quasi-programming language), as opposed to a &quot;restful&quot; way of doing it, &quot;user&#x2F;1&#x2F;profile&#x2F;address&#x2F;1&quot;. It&#x27;s not so much about being readable for computers, we can solve that problem, it&#x27;s about being readable for humans, which is the harder problem to solve.

The headline makes me think of NoSQL. The NoSQL (poor nomenclature) movement came about because of limitations with decades-old SQL. I don&#x27;t think such problems exist with REST, which is still fairly young.<p>More importantly, REST created a relatively clean and clear API that almost anyone can understand for any service. Sure, it does vary, as it is not &quot;standard&quot;, and every site has their own resources and paths, but the learning curve to a new API is dramatically lower.

&gt; And these ‘simple’ URLs can be a pain when you want to extend them with more parameters, or even use more complex types like an array as a parameter.<p>Except in REST, a resource would not be identified by an array. If the resources would be a list and you would want to filter it, you would indeed use query parameters.<p>I do not see that the article brings up valid concerns at all. It seems to me, that the author just wants to simplify something, which is already quite nice and simple.<p>REST is a common standard, that fits nicely on top of HTTP. Why not use standard error codes if they are already available and commonly known? Isn&#x27;t that the whole point about standards, that people know them and are therefore already better informed without knowing your specific implementation?<p>I understand criticism against religiously following standards when they are hard to implement or the benefit is marginal. I for example get, using cookies for authentication of an internal API.<p>I don&#x27;t see the point of restricting myself to POST and 200&#x2F;500 error codes, the extra work here to conform to REST is minimal while the benefit to the consumer is clear.

The benefit is not (necessarily) that these ways of doing things are inherently better; it&#x27;s that they are commonly used.<p>If you do things in this manner, everyone who has to deal with your API will have a good understanding of how it works. Even people who&#x27;ve never studied REST will have a good idea of how it works, as long as they are familiar with the web in general.

Sounds like he wants Web Services with json. If he just comes up with a name other than REST he can use it for anything he wants, it would be silly to use the name for something where you clearly break all the rules&#x2F;guidelines. And I don&#x27;t get how it settles all discussions. Someone might still prefer the status code 400 over 500. And someone will want XML in the data instead of json etc. I will just say that I don&#x27;t see any direct benefit with this.

What I think many people are missing is this: there’s stuff that can and should be done in a RESTful way, mainly when you have a resource oriented api. On the other hand there is obviously cases where you really want to do RPC. There is no conflict, use RPC when you want to, but please do it according to some standard, without cooking up cool new URL structures.<p>JSONRPC can save you a lot of headaches, and hardly imposes any restrictions on how you roll your api itself.

It&#x27;s nice with urls without &quot;&amp;&quot; when curl&#x27;ing from bash.

It&#x27;s kind-of a shame that you&#x27;re not allowed to do an HTTP GET with a body.