Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.esperr.com/llms.txt

Use this file to discover all available pages before exploring further.

What is a Request Method?

The request method tells you what type of action the client wants to perform. It’s one of the fundamental pieces of every HTTP request.
MDN Web DocsRead more on HTTP request methods.

Common Methods

GET

Purpose: Retrieve data without making changes Example: Loading a webpage, fetching user profile data Typical use: Safe, read-only operations

POST

Purpose: Submit data to create something new Example: Submitting a form, creating a new account Typical use: Creating new resources

PUT

Purpose: Update an entire existing resource Example: Updating a complete user profile Typical use: Full replacements of existing data

PATCH

Purpose: Partially update an existing resource Example: Changing just an email address Typical use: Small, targeted updates

DELETE

Purpose: Remove a resource Example: Deleting an account or post Typical use: Permanent removal operations

How It’s Used on the Web

Different parts of your application use different methods:
  • Web browsers primarily use GET for navigation and POST for forms
  • REST APIs use the full range of methods for different operations
  • Mobile apps often use POST/PUT/PATCH for data synchronization
  • Single-page applications use various methods for dynamic updates

Using Request Method in Policies

Basic Examples

Block all DELETE requests: 
Field Type: Request Method
Operator: equals
Value: DELETE
Action: Block
Monitor non-GET requests to sensitive paths: 
Field Type: Request Method
Operator: not equals
Value: GET
AND
Field Type: Request Path
Operator: starts with
Value: /admin
Action: Monitor

Advanced Pattern: Protect Read-Only Resources

# Challenge any modification attempts to public data
Field Type: Request Method
Operator: in
Value: POST, PUT, PATCH, DELETE
AND
Field Type: Request Path
Operator: starts with
Value: /api/public
Action: Challenge
Real-World ScenarioMany attacks try to use POST requests to endpoints that should only accept GET. Monitoring unexpected methods can reveal reconnaissance attempts or application abuse.

Best Practices

DO:

  • Consider method-path combinations - GET to /api/delete might be suspicious
  • Monitor unusual methods - TRACE, CONNECT, OPTIONS might indicate scanning
  • Validate API patterns - Ensure methods match your API design
  • Start with monitoring - Understand normal patterns before blocking

DON’T:

  • Block all POST requests - This would break most forms
  • Ignore GET requests - They can still leak data or cause issues
  • Assume safety - GET requests can still be malicious
  • Forget about APIs - They use methods differently than browsers

Common Attack Patterns

PatternWhat to Look ForSuggested Action
Method OverridePOST with _method parameterMonitor closely
Verb TamperingWrong method for endpointChallenge or block
REST MisconfigurationDELETE/PUT to unauthorized pathsBlock
Scanner FingerprintingOPTIONS/TRACE requestsMonitor and rate limit

Integration Tips

Combine with Other FieldsRequest Method becomes powerful when combined with:
  • Request Path - Match specific endpoint behaviors
  • User Agent - Identify automated tools using unusual methods
  • Client IP - Track sources of suspicious method usage
  • Headers - Look for method override headers

Troubleshooting

“Why isn’t my policy matching?”
  • Check for exact case (GET not get)
  • Verify the actual method being sent (check browser DevTools)
  • Some frameworks convert methods (e.g., forms using POST with _method)
“I’m blocking legitimate traffic!”
  • Review which paths truly need protection
  • Consider using Challenge instead of Block
  • Check if your application uses method overrides
  • Request Path - Often used together for precise rules
  • Headers - May contain method override information
  • Body Data - POST/PUT/PATCH requests contain body data