RESTful compliant by using only POST

Question

until now I'm using only the POST method to create web services (not for websites). I thought it is more secure and the better way, if it is not for a website, because the parameters are not stored in web server logs, when sensitiv data are send.

Now I'm not sure if this is RESTful compliant and the best way. My current definition is something like

POST https://{url}/order/getOrder
Content-Type: application/json
{
  "orderId": "42"
}

Normally a GET-Request will be

GET https://{url}/order/42

or

GET https://{url}/order/getOrder
Content-Type = application/json
{ "orderId"     : 42 }

May question is, if all examples are RESTful compliant, or only the last two.

best regards jd

Answer 1

Now I'm not sure if this is RESTful compliant and the best way

Technically, I suppose not. Cache constraints are a first class concern in the REST architectural style

Cache constraints require that the data within a response to a request be implicitly or explicitly labeled as cacheable or non-cacheable.

In the HTTP specification, POST is explicitly listed as a cacheable method. However, the cache invalidation specification requires that a non-error response to a POST request invalidates previously cached entries for the effective Request URI.

So for queries, which would normally be safe operations anyway, you should be using GET or HEAD.

Thus, of the options that you've listed, the "REST compliant" approach would be

GET https://{url}/order/42

Your third alternative fails for a different reason:

A payload within a GET request message has no defined semantics

This is primarily, I would argue, because it is difficult for caches to do sensible things when the payload needs to be considered part of the cache key.