GET
The HTTP GET method requests a representation of a resource without modifying server state. GET is the most common HTTP method and the primary mechanism for retrieving information on the web.
Usage
A GET request retrieves data without modifying server state. Any content in the request body has no generally defined semantics, and the entire query is expressed through the target URI and headers. Responses are cacheable by default, making GET the foundation of web Caching.
GET is the browser default for navigation, link
clicks, and form submissions without a method
attribute.
The HTTP specification does not forbid a body in GET requests, but the semantics of such a body are undefined. Browsers and the Fetch API strip GET request bodies. Many servers and proxies ignore or reject them. Relying on a body in a GET request is not safe for interoperability.
Properties
| Property | Value |
|---|---|
| Safe | Yes |
| Idempotent | Yes |
| Cacheable | Yes |
Because GET is safe and idempotent, sending the same request multiple times produces the same result and does not alter the resource. Browsers, crawlers, and proxies all rely on this guarantee.
Conditional GET
A GET request becomes conditional when one or more validator headers are present: If-Match, If-None-Match, If-Modified-Since, If-Unmodified-Since, or If-Range. The server evaluates the condition and returns the full representation only when the condition is met.
- If-None-Match or If-Modified-Since: the server returns 304 when the resource has not changed, saving bandwidth.
- If-Match or If-Unmodified-Since: the server returns 412 when the precondition fails.
- If-Range: the server returns 206 for a partial response on success, or 200 with the full body when the condition is not met.
Partial GET
Including a Range header turns a GET into a partial request. The server returns only the requested byte range with a 206 status. A 416 status indicates the range is not satisfiable. Servers not supporting range requests return 200 with the full body.
Partial GET is useful for resuming interrupted downloads and Streaming large files in segments.
Example
Basic GET
A minimal GET request retrieves the root resource. The server returns 200 with the full representation.
Request
GET / HTTP/1.1
Host: www.example.re
Response
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 1256
<!doctype html>
<html>...
Conditional GET
This request includes If-Modified-Since, so the server returns the body only when the resource has changed since the specified date. An unchanged resource produces a 304 with no body.
Request
GET / HTTP/1.1
Host: www.example.re
If-Modified-Since: Sat, 01 Jan 2022 12:00:00 GMT
Response (not modified)
HTTP/1.1 304 Not Modified
ETag: "abc123"
Partial GET
The Range header requests only the first 512 bytes. The server responds with 206 and a Content-Range header indicating the returned segment.
Request
GET /file.bin HTTP/1.1
Host: www.example.re
Range: bytes=0-511
Response
HTTP/1.1 206 Partial Content
Content-Range: bytes 0-511/8192
Content-Length: 512
CORS
GET is a CORS-safelisted method. Cross-origin GET requests do not trigger a preflight request, making GET the default method for cross-origin resource fetching in browsers.
GET vs POST
GET retrieves data. POST submits data for processing. GET parameters travel in the URL query string, while POST parameters go in the request body.
GET responses are cacheable and bookmarkable. POST responses are cacheable only with explicit freshness information. URLs have practical length limits, restricting the amount of data GET carries. POST has no practical body size limit.
GET is both safe and idempotent. POST is neither. A repeated GET returns the same result. A repeated POST creates duplicate resources or triggers processing twice.
The performance difference between GET and POST is negligible. The choice depends on the operation: retrieval uses GET, submission uses POST.
Security
GET parameters are visible in the URL, browser history, server logs, and Referer headers. Sensitive data such as passwords, tokens, and personally identifiable information must never appear in query strings.
GET requests are more exposed to
CSRF attacks through <img> and <link>
tags that trigger GET requests automatically. POST
is also vulnerable to CSRF without proper tokens.
Neither GET nor POST provides encryption on its own. HTTPS is required to protect data in transit.
See also
- RFC 9110: HTTP Semantics
- HEAD
- POST
- Range request
- Conditional requests
- Content negotiation
- Caching
- HTTP methods
- HTTP headers