PATCH (HTTP)
HTTP |
---|
Request methods |
Header fields |
Response status codes |
Security access control methods |
Security vulnerabilities |
In computing, the PATCH method is a
History of PATCH
As per the semantics defined in the
PUT vs PATCH vs POST
The main difference between the PUT and PATCH method is that the PUT method uses the request
The POST method can be used for sending partial updates to a resource. The main difference between the POST and PATCH methods is that the POST method can be used only when it is written to support the applications or the applications support its semantics whereas the PATCH method can be used in a generic way and does not require application support. If the outcome of using the PATCH method is not known then the POST method is preferred.[1][6]
Patching resources
The PATCH method is
A cached PATCH response is considered stale. It can only be used for the GET and HEAD requests that may follow the PATCH request.[1]
The entity headers in the PATCH document are only applicable to the PATCH document and cannot be applied to the requested resource.[1]
There is no standard format for the PATCH document and it is different for different types of resources. The server has to check whether the PATCH document received is appropriate for the requested resource.[1]
A JSON Patch document would look like
[
{ "op": "add", "path": "/count", "value": 1 }
]
"op" represents the operation performed on the resource. "path" represents the resource being modified. "value" represents the amount being added to the existing resource.[7] Before applying the changes in the PATCH document, the server has to check whether the PATCH document received is appropriate for the requested resource. If the PATCH request succeeds then it returns a 204 response.[8]
A XML PATCH document would look like
<add sel="doc/user[@email='[email protected]']" type="@address">
ABC Road
</add>
The element <user> is located using the 'email' attribute. A new attribute 'address' with the value "ABC Road" is added to the <user> element.[9]
Example
A simple PATCH request example
PATCH /example.txt HTTP/1.1
Host: www.example.com
Content-Type: application/example
If-Match: "c0b42b66e"
Content-Length: 120
[Changes: the patch document containing all the changes that need to be made on the resource example.txt]
Successful PATCH response to existing text file:
HTTP/1.1 204 No Content
Content-Location: /example.txt
ETag: "dd541480"
The response 204 means that the request was processed successfully.[10]
Trade-offs between PUT and PATCH
Using the
Caution
The PATCH method is not "safe" in the sense of RFC 2616: it may modify resources, not necessarily limited to those mentioned in the
The PATCH method is not idempotent. It can be made idempotent by using a conditional request.[1] When a client makes a conditional request to a resource, the request succeeds only if the resource has not been updated since the client last accessed that resource. This also helps in preventing corruption of the resource since some updates to a resource can only be performed starting from a certain base point.[1]
Error handling
A PATCH request can fail if any of the following errors occur:
Malformed patch document
The server returns a 400 (Bad request) response if the PATCH document is not formatted as required.[1]
Unsupported patch document
The server returns a 415 (Unsupported Media Type) response with an Accept-Patch response header containing supported media types when the client sends a patch document in a format not implemented by the server. This informs the client that the PATCH document sent by the client cannot be applied to the requested resource.[1]
Unprocessable request
The server returns a 422 (Unprocessable Entity) response when the server understands the PATCH document but is unable to modify the requested resource either because it causes the resource to become invalid or it results in some other error state.[1]
Resource not found
The server returns a 404 (Not Found) response when the PATCH document cannot be applied to a non-existent resource.[1]
Conflicting state
The server returns a 409 (Conflict) response when the server cannot apply a patch for the current state of the resource.[1]
Conflicting modification
The server returns a 412 (Precondition Failed) response when the precondition supplied by the client using the If-Match or If-Unmodified-Since header fails. If no precondition is supplied and there is a conflicting modification then the server returns a 409 (Conflict) response.[1]
Concurrent modification
The server returns a 409 (Conflict) response if the PATCH requests to a certain resource need to be applied in a certain order and the server is not able to handle concurrent PATCH requests.[1]
Security considerations
The PATCH request needs to use mechanisms such as conditional requests using Etags and the If-Match request header to ensure that data is not corrupted while patching.[1] In case of a failure of a PATCH request or failure of the channel or a timeout, the client can use a GET request to check the state of the resource.[1] The server has to ensure that malicious clients do not use the PATCH method for consuming excessive server resources.[1]
References
- ^ )
- ^ "Don't Patch Like An Idiot". Don't Patch Like An Idiot. 14 February 2014. Retrieved 16 September 2015.
- ^ RFC 5789
- ^ "History of PATCH". weblog.rubyonrails.org. Retrieved 25 September 2015.
- ^ "Hypertext Transfer Protocol -- HTTP/1.1". Retrieved 13 September 2015.
- ^ "Why PATCH is Good for Your HTTP API". Why PATCH is Good for Your HTTP API. Retrieved 16 September 2015.
- ^ "JSON Patch - draft-ietf-appsawg-json-patch-08". Ietf Datatracker. Retrieved 13 September 2015.
- ^ "PATCH". MDN Web Docs. Retrieved 2018-10-11.
- doi:10.17487/RFC5261. Retrieved 25 September 2015.
- ^ "PATCH". MDN Web Docs. Retrieved 2018-10-12.
- ^ Darren (7 May 2014). "REST API Best Practices 3: Partial Updates - PATCH vs PUT". www.blogger.com. Retrieved 13 September 2015.