[ADP-152] X-HTTP-Method-Override

Overview

The X-HTTP-Method-Override header allows clients to specify a different HTTP method than the one used in the request. This is particularly useful in scenarios where the client is restricted to using only certain HTTP methods (like GET or POST) due to limitations in the client environment (e.g., HTML forms).

TIP

In general, always use the appropriate HTTP method for the operation. This header exists primarily to work around client-side limitations that prevent using certain HTTP methods directly.

Guidance

The API server MAY implement X-HTTP-Method-Override when you need to support RESTful operations (like PUT, DELETE) in environments that do not allow these methods directly.
[IMPORTANT] Using X-HTTP-Method-Override may lead to security issues such as CSRF attacks. Therefore, you SHOULD use this header with caution and consider whether to deprecate support for this header or clients that don't support specific HTTP methods.

Implementation

The clients should include the X-HTTP-Method-Override header in their requests to indicate the intended HTTP method.
The server should check for the presence of the X-HTTP-Method-Override header and, if present, override the method of the request accordingly.

Example

A client sends a POST request to delete a resource:

http

POST /resource/123 HTTP/1.1
Host: api.example.com
X-HTTP-Method-Override: DELETE

References

Opensocial Core API Server

[ADP-152] X-HTTP-Method-Override ​

Overview ​

Guidance ​

Implementation ​

Example ​