Difference between idempotent and safe HTTP methods in REST APIs

Question

How could the PUT method be idempotent but not safe? Can someone explain it out?

HTTP Method   Idempotent      Safe
OPTIONS        yes            yes
GET            yes            yes
HEAD           yes            yes
PUT            yes            no
POST           no             no
DELETE         yes            no
PATCH          no             no

Answer 1

Safe method doesn't change anything internally (resources)

Safe methods are methods that can be cached, prefetched without any repercussions to the resource.

Idempotent method doesn't change anything externally (response)

idempotent HTTP method is a HTTP method that can be called many times without different outcomes.

Answer 2

It's all in the specification:

4.2.2. Idempotent Methods

A request method is considered "idempotent" if the intended effect on the server of multiple identical requests with that method is the same as the effect for a single such request. Of the request methods defined by this specification, PUT, DELETE, and safe request methods are idempotent.

Like the definition of safe, the idempotent property only applies to what has been requested by the user; a server is free to log each request separately, retain a revision control history, or implement other non-idempotent side effects for each idempotent request.

Idempotent methods are distinguished because the request can be repeated automatically if a communication failure occurs before the client is able to read the server's response. For example, if a client sends a PUT request and the underlying connection is closed before any response is received, then the client can establish a new connection and retry the idempotent request. It knows that repeating the request will have the same intended effect, even if the original request succeeded, though the response might differ.

(https://greenbytes.de/tech/webdav/rfc7231.html#idempotent.methods)