> ## Documentation Index
> Fetch the complete documentation index at: https://docs.esperr.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Request Method

> Understanding HTTP request methods in Esper policies.

## What is a Request Method?

The request method tells you what type of action the client wants to perform. It's one of the fundamental pieces of every HTTP request.

<Info>
  **MDN Web Docs**

  Read more on [HTTP request methods](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods).
</Info>

## Common Methods

### GET

**Purpose:** Retrieve data without making changes
**Example:** Loading a webpage, fetching user profile data
**Typical use:** Safe, read-only operations

### POST

**Purpose:** Submit data to create something new
**Example:** Submitting a form, creating a new account
**Typical use:** Creating new resources

### PUT

**Purpose:** Update an entire existing resource
**Example:** Updating a complete user profile
**Typical use:** Full replacements of existing data

### PATCH

**Purpose:** Partially update an existing resource
**Example:** Changing just an email address
**Typical use:** Small, targeted updates

### DELETE

**Purpose:** Remove a resource
**Example:** Deleting an account or post
**Typical use:** Permanent removal operations

## How It's Used on the Web

Different parts of your application use different methods:

* **Web browsers** primarily use GET for navigation and POST for forms
* **REST APIs** use the full range of methods for different operations
* **Mobile apps** often use POST/PUT/PATCH for data synchronization
* **Single-page applications** use various methods for dynamic updates

## Using Request Method in Policies

### Basic Examples

**Block all DELETE requests:**

```yaml theme={null}
Field Type: Request Method
Operator: equals
Value: DELETE
Action: Block
```

**Monitor non-GET requests to sensitive paths:**

```yaml theme={null}
Field Type: Request Method
Operator: not equals
Value: GET
AND
Field Type: Request Path
Operator: starts with
Value: /admin
Action: Monitor
```

### Advanced Pattern: Protect Read-Only Resources

```yaml theme={null}
# Challenge any modification attempts to public data
Field Type: Request Method
Operator: in
Value: POST, PUT, PATCH, DELETE
AND
Field Type: Request Path
Operator: starts with
Value: /api/public
Action: Challenge
```

<Info>
  **Real-World Scenario**

  Many attacks try to use POST requests to endpoints that should only accept GET. Monitoring unexpected methods can reveal reconnaissance attempts or application abuse.
</Info>

## Best Practices

### DO:

* **Consider method-path combinations** - GET to `/api/delete` might be suspicious
* **Monitor unusual methods** - TRACE, CONNECT, OPTIONS might indicate scanning
* **Validate API patterns** - Ensure methods match your API design
* **Start with monitoring** - Understand normal patterns before blocking

### DON'T:

* **Block all POST requests** - This would break most forms
* **Ignore GET requests** - They can still leak data or cause issues
* **Assume safety** - GET requests can still be malicious
* **Forget about APIs** - They use methods differently than browsers

## Common Attack Patterns

| Pattern                | What to Look For                 | Suggested Action       |
| ---------------------- | -------------------------------- | ---------------------- |
| Method Override        | POST with `_method` parameter    | Monitor closely        |
| Verb Tampering         | Wrong method for endpoint        | Challenge or block     |
| REST Misconfiguration  | DELETE/PUT to unauthorized paths | Block                  |
| Scanner Fingerprinting | OPTIONS/TRACE requests           | Monitor and rate limit |

## Integration Tips

<Tip>
  **Combine with Other Fields**

  Request Method becomes powerful when combined with:

  * **Request Path** - Match specific endpoint behaviors
  * **User Agent** - Identify automated tools using unusual methods
  * **Client IP** - Track sources of suspicious method usage
  * **Headers** - Look for method override headers
</Tip>

## Troubleshooting

**"Why isn't my policy matching?"**

* Check for exact case (GET not get)
* Verify the actual method being sent (check browser DevTools)
* Some frameworks convert methods (e.g., forms using POST with \_method)

**"I'm blocking legitimate traffic!"**

* Review which paths truly need protection
* Consider using Challenge instead of Block
* Check if your application uses method overrides

## Related Fields

* [Request Path](./request-path) - Often used together for precise rules
* [Headers](./headers) - May contain method override information
* [Body Data](./body-data) - POST/PUT/PATCH requests contain body data
