Dev News: A POST/GET Debate, Yarn 4.0, and Node.js Updates
Programmer Matthew Phillips has an “unpopular opinion” that he shared via — where else — the X platform (formally Twitter):
“Don’t use http verbs PUT, PATCH, DELETE. Just use POST for everything,” the creator of web framework Astro and Lucy Lang wrote. His reasons for this, in his own words:
doesn’t support the others. Frameworks that allow it to do so through hacks.
URLs are free, you don’t gain anything by overloading them.
Purity < practicality
The tweet solicited responses that ranged from “Nope” and “Yes, that is an unpopular opinion” to more nuanced opinions.
Christian Findlay, an Australian programmer who works with Flutter and dotnet, went a step further, responding that he cannot see any benefit to the REST “pseudo” standard at all.“The only exception would be large-scale systems that need a standard REST API for mass public consumption,” Findlay wrote. “HTTP was designed in different era and the prescriptive verbs don’t make a lot of sense.”
Simon Willison, who co-created Django, shared that he is an also “a member of team ‘don’t bother with verbs beside GET and POST.’”
“I’ve never encountered an API that uses them and thought ‘Great, this will make this API easier to understand and use,” he said. “It’s been way over a decade — I’m ready to say that I haven’t found the value in them.”Jake Archibald, engineer at Shopify, also added his support to Phillips.
“GET vs POST have meaningful behavior differences in browsers. Use GET for stuff without side-effects, otherwise, use POST,” Archibald wrote. “The other verbs? Nah. I’ve always found it easier to be expressive in the URL than the HTTP verb.”
Maciej Nux, tech lead on a library systems company and a self-described JavaScript native and security freak, pointed out there are security benefits to DELETE/PUT.
“From a security perspective DELETE/PUT is safer because you cannot use them in forms,” he wrote. This blocks some attack vectors (CSRF). You could add some extra layers, but being safer by default is nice.”
“I think you’re in trouble if that’s your attack mitigation,” Archibald responded.
To which Nux countered, ”For me, security is always layers. Layers upon layers. And this one doesn’t cost much. For me at least.”
Several people piped up to say the problem is REST, which, they pointed out, isn’t a standard and is based on an old web paradigm. Not everyone was anti-REST, though.
“I think REST is amazing and beautiful and I wish people would take the time to actually learn how to do it,” Brantly Harris shared. “Unfortunately that has never happened, so I’m coming around to your position. Mostly out of spite, though.”