New HTTP QUERY Method Works in Runtimes but Triggers Edge Bot Filters in Production

RFC 10008 formally introduced QUERY as a new HTTP method in June 2025, offering GET-like semantics — safe, idempotent, and cacheable — while allowing query data to be sent in the request body rather than the URL. A developer tested QUERY across multiple production and local environments, including Vercel serverless functions in Python and Node, Supabase Edge, and local FastAPI, finding that all runtimes handled the method correctly. However, Vercel's built-in bot mitigation system began issuing 403 challenge responses specifically for QUERY requests, blocking them at the edge before they ever reached the backend function. The issue was reproduced from a second client, with GET and POST requests completing cleanly while QUERY traffic was flagged as suspicious from the fourth request onward. The findings highlight that while server runtimes and frameworks are increasingly ready for QUERY, edge infrastructure and security layers have yet to recognise it as a legitimate HTTP method.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)
Log in to join the discussion and vote.
Log in