The HTTP specification defines the method of a request in section 5.1.1. This definition dates to 1992.
The Method token indicates the method to be performed on the resource identified by the Request-URI. The method is case-sensitive.
Various cookbooks for constructing a request refer to POST as POST, and nothing but POST.
And, yet, we get requests like this. Addresses and URIs have been obscured to protect the victim.
10.0.0.1 – – [21/Aug/2007:08:32:44 -0700] “Post /myEndpoint HTTP/1.1″ 200 254 “-” “libwww-perl/5.76”
HTTP 1.0 was published as informational RFC 1945 in 1996. That’s more than enough time for HTTP user agent developers to read the short sentence requiring case-sensitivity. Even if you come from the copy-and-paste school of programming, there’s no excuse. What are you going to say? Oops, Microsoft Word automatically proper-cased that for me?
Actually, yes, it did. In the requirements for the application interface.
Perhaps equally alarming is the HTTP 200 response code. You can’t get all mad at the user agents when the server-side application doesn’t care either. Many web application environments don’t care at all what HTTP method is used. Nevermind case. When application servers try to map HTTP requests to application code, that map should use both method and path as the key, not path alone.
The problem showed when IBM fixed the bug, which they didn’t know they had, in a more recent release of the application server.