HTTP Verb Tunnelling

What is it?

HTTP verb tunnelling (sometime called HTTP method override) is actually hack. This is provided to solve situation where web application running behind strict-policy firewall which only allows GET and POST request.

To allow PUT, DELETE, OPTIONS, PATCH method to be used, developer can use POST method and X-Http-Method-Override request header set to appropriate method as shown in following snippet,

POST /delete HTTP/1.1
Host: myapp.fano
X-Http-Method-Override: DELETE

In example above, http://myapp.fano/delete is assumed only handle DELETE request. Using apropriate header value, client can send as POST request which will be translated as DELETE request.

Using HTTP verb tunnelling in Fano Framework

To allow HTTP verb tunnelling, you need to use TVerbTunnellingDispatcher class as shown in following example code,

function TAppServiceProvider.buildDispatcher(
    const ctnr : IDependencyContainer;
    const routeMatcher : IRouteMatcher;
    const config : IAppConfiguration
) : IDispatcher;
begin
    ctnr.add(
        GuidToString(IDispatcher),
        TVerbTunnellingDispatcherFactory.create(
            TSimpleDispatcherFactory.create(
                routeMatcher,
                TRequestResponseFactory.create()
            )
        )
    );
    result := ctnr[GuidToString(IDispatcher)] as IDispatcher;
end;

Using this type of dispatcher, when Fano Framework receives POST request with X-Http-Method-Override header set, it uses verb set in header value instead. This new verb is tested against known HTTP verb (GET, POST, PUT, DELETE, PATCH, OPTIONS, HEAD). If not one of allowed methods, EInvalidMethod exception is raised.

If you need to use this, you need to understand security implication of HTTP verb tampering issue.

Explore more