🌐 REST Design Vocabulary
Master core REST terminology: safe vs. idempotent methods, resource naming, statelessness, content negotiation, and status code semantics. Intermediate
An API design review includes the statement: "GET is both safe and idempotent. DELETE is idempotent but not safe. POST is neither safe nor idempotent."
A junior developer asks what "safe" means in REST terms. Which explanation is correct?
Option C is the RFC 7231 definition. Safety and idempotency are distinct HTTP semantics that determine how clients and intermediaries (browsers, caches, proxies) can behave:
| Method | Safe | Idempotent | Browser can retry? |
|---|---|---|---|
| GET | ✓ Yes | ✓ Yes | Yes — safe to prefetch and cache |
| PUT | ✗ No | ✓ Yes | Yes — repeating the same PUT yields the same state |
| DELETE | ✗ No | ✓ Yes | Usually — deleting a deleted resource still leaves it deleted (404 is acceptable) |
| POST | ✗ No | ✗ No | No — browser warns before re-submitting a POST (e.g. form resubmission) |
| PATCH | ✗ No | Not necessarily | Depends on implementation — PATCH to set a value is idempotent; PATCH to increment is not |
Why this matters in practice: These properties determine whether retries are safe, whether caches can serve stale data, and how load balancers route requests. Using a GET to trigger mutations (e.g. GET /users/delete?id=5) is a security and correctness bug.