Hubbry Logo
PATCH (HTTP)PATCH (HTTP)Main
Open search
PATCH (HTTP)
Community hub
PATCH (HTTP)
logo
8 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Contribute something
PATCH (HTTP)
PATCH (HTTP)
PATCH (HTTP)
View on Wikipedia
from Wikipedia

In computing, the PATCH method is a request method in HTTP for making partial changes to an existing resource.[1] The PATCH method provides an entity containing a list of changes to be applied to the resource requested using the HTTP Uniform Resource Identifier (URI).[1] The list of changes are supplied in the form of a PATCH document.[1] If the requested resource does not exist then the server may create the resource depending on the PATCH document media type and permissions.[1] The changes described in the PATCH document must be semantically well defined but can have a different media type than the resource being patched.[2] Languages such as XML or JSON can be used in describing the changes in the PATCH document.

History of PATCH

[edit]

As per the semantics defined in the HTTP protocol, the GET, PUT, and POST methods need to use a full representation of the resource. The PUT method which can be used for resource creation or replacement is idempotent and can be used only for full updates. The edit forms used in conventional Ruby on Rails application need to create new resources by applying partial updates to a parent resource. Due to this requirement, the PATCH method was added to the HTTP protocol in 2010.[3][4]

PUT vs PATCH vs POST

[edit]

HTTP is the foundation of data communication for the World Wide Web. It is a request-response protocol which helps users communicate with the server to perform CRUD operations. HTTP defines a number of request methods such as PUT, POST and PATCH to create or update resources.[5]

The main difference between the PUT and PATCH method is that the PUT method supplies a modified version of the requested resource which replaces the original version of the resource, whereas the PATCH method supplies a set of instructions to modify the resource. If the PATCH document is larger than the size of the new version of the resource sent by the PUT method then the PUT method is preferred.[1]

The POST method can be used for sending partial updates to a resource. The main difference between the POST and PATCH methods is that the POST method can be used only when it is written to support the applications or the applications support its semantics whereas the PATCH method can be used in a generic way and does not require application support. If the outcome of using the PATCH method is not known then the POST method is preferred.[1][6]

Patching resources

[edit]

The PATCH method is atomic.[1] Either all the changes specified by the PATCH method are applied or none of the changes are applied by the server.[1] There are many ways of checking whether a patch was applied successfully. For example, the 'diff' utility can be applied to the older version and newer version of a file to find the differences between them.[1]

A cached PATCH response is considered stale. It can only be used for the GET and HEAD requests that may follow the PATCH request.[1]

The entity headers in the PATCH document are only applicable to the PATCH document and cannot be applied to the requested resource.[1]

There is no standard format for the PATCH document and it is different for different types of resources. The server has to check whether the PATCH document received is appropriate for the requested resource.[1]

A JSON Patch document would look like 

[
  { "op": "add", "path": "/count", "value": 1 }
]

"op" represents the operation performed on the resource. "path" represents the resource being modified. "value" represents the amount being added to the existing resource.[7] Before applying the changes in the PATCH document, the server has to check whether the PATCH document received is appropriate for the requested resource. If the PATCH request succeeds then it returns a 204 response.[8]

A XML PATCH document would look like 

<add sel="doc/user[@email='xyz@abc.com']" type="@address">
ABC Road
</add>

The element <user> is located using the 'email' attribute. A new attribute 'address' with the value "ABC Road" is added to the <user> element.[9]

Example

[edit]

A simple PATCH request example 

  PATCH /example.txt HTTP/1.1
  Host: www.example.com
  Content-Type: application/example
  If-Match: "c0b42b66e"
  Content-Length: 120
  
  [Changes: the patch document containing all the changes that need to be made on the resource example.txt]

Successful PATCH response to existing text file: 

  HTTP/1.1 204 No Content
  Content-Location: /example.txt
  ETag: "dd541480"

The response 204 means that the request was processed successfully.[10]

Trade-offs between PUT and PATCH

[edit]

Using the PUT method consumes more bandwidth as compared to the PATCH method when only a few changes need to be applied to a resource.[citation needed] But when the PATCH method is used, it usually involves fetching the resource from the server, comparing the original and new files, creating and sending a diff file. On the server side, the server has to read the diff file and make the modifications. This involves a lot of overhead compared to the PUT method.[11] On the other hand, the PUT method requires a GET to be performed before the PUT and it is difficult to ensure that the resource is not modified between the GET and PUT requests.

Caution

[edit]

The PATCH method is not "safe" in the sense of RFC 2616: it may modify resources, not necessarily limited to those mentioned in the URI.[1]

The PATCH method is not idempotent. It can be made idempotent by using a conditional request.[1] When a client makes a conditional request to a resource, the request succeeds only if the resource has not been updated since the client last accessed that resource. This also helps in preventing corruption of the resource since some updates to a resource can only be performed starting from a certain base point.[1]

Error handling

[edit]

A PATCH request can fail if any of the following errors occur:

Malformed patch document

[edit]

The server returns a 400 (Bad request) response if the PATCH document is not formatted as required.[1]

Unsupported patch document

[edit]

The server returns a 415 (Unsupported Media Type) response with an Accept-Patch response header containing supported media types when the client sends a patch document in a format not implemented by the server. This informs the client that the PATCH document sent by the client cannot be applied to the requested resource.[1]

Unprocessable request

[edit]

The server returns a 422 (Unprocessable Entity) response when the server understands the PATCH document but is unable to modify the requested resource either because it causes the resource to become invalid or it results in some other error state.[1]

Resource not found

[edit]

The server returns a 404 (Not Found) response when the PATCH document cannot be applied to a non-existent resource.[1]

Conflicting state

[edit]

The server returns a 409 (Conflict) response when the server cannot apply a patch for the current state of the resource.[1]

Conflicting modification

[edit]

The server returns a 412 (Precondition Failed) response when the precondition supplied by the client using the If-Match or If-Unmodified-Since header fails. If no precondition is supplied and there is a conflicting modification then the server returns a 409 (Conflict) response.[1]

Concurrent modification

[edit]

The server returns a 409 (Conflict) response if the PATCH requests to a certain resource need to be applied in a certain order and the server is not able to handle concurrent PATCH requests.[1]

Security considerations

[edit]

The PATCH request needs to use mechanisms such as conditional requests using Etags and the If-Match request header to ensure that data is not corrupted while patching.[1] In case of a failure of a PATCH request or failure of the channel or a timeout, the client can use a GET request to check the state of the resource.[1] The server has to ensure that malicious clients do not use the PATCH method for consuming excessive server resources.[1]

References

[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

PATCH (HTTP)

View on Grokipedia
from Grokipedia
In the Hypertext Transfer Protocol (HTTP), the PATCH method is a request method designed to apply partial modifications to a resource identified by a (URI), allowing clients to update specific parts of a resource without replacing the entire entity. Defined in RFC 5789 as an extension to HTTP/1.1, PATCH enables more efficient and precise updates compared to the PUT method, which requires sending a complete replacement representation of the resource. The request body of a PATCH typically contains a "patch document"—a set of instructions in a specified (e.g., application/merge-patch+json or application/json-patch+json)—that describes how the server should modify the target resource. Unlike idempotent methods such as PUT, PATCH is neither safe nor idempotent by default, meaning repeated applications may result in different outcomes depending on the patch semantics, and servers are required to apply the changes atomically to ensure consistency. To support conditional patching and avoid conflicts, PATCH requests can include preconditions like the If-Match header with entity tags (ETags). Servers advertise PATCH support via the Accept-Patch response header in OPTIONS requests, specifying allowed media types for patch documents. Common error responses include 400 (Bad Request) for malformed patches, 409 (Conflict) for precondition failures, and 422 (Unprocessable Entity) for semantic issues in the patch. Introduced in 2010 to address limitations in earlier HTTP methods for partial updates, PATCH has become a standard in RESTful APIs for scenarios like modifying user profiles or configuration files without transmitting full datasets, promoting bandwidth efficiency and reducing error risks in distributed systems. While the method itself is version-agnostic and supported in HTTP/1.1 and later versions including and , its adoption relies on standardized patch formats such as (RFC 6902) for JSON resources or Merge Patch (RFC 7396) to ensure interoperability across implementations.

Definition and Purpose

Formal Definition

The HTTP PATCH method is a request method in the Hypertext Transfer Protocol (HTTP) that enables partial modifications to a resource identified by the Request-URI. Specifically, "the PATCH method requests that a set of changes described in the request entity be applied to the resource identified by the Request-URI." The request entity contains a "patch document," which consists of a set of instructions describing how the resource currently residing on the origin server should be modified, rather than providing a complete replacement representation. This document is identified by a , but no default format is mandated, allowing flexibility in how changes are specified. Upon receiving a PATCH request, the server is required to apply the changes to the resource in an atomic manner, ensuring that the resource is never left in a partially modified state. A successful response is indicated by a 2xx status code, such as 204 No Content, confirming that the modifications have been fully applied. Unlike safe methods like GET, PATCH is neither safe nor idempotent by default, meaning repeated invocations may result in different outcomes depending on the patch document's semantics; however, idempotency can be achieved through conditional requests, such as using the If-Match header. Servers claiming support for PATCH must handle it appropriately for the resource's , but the precise implementation of the changes remains server-defined, without requiring adherence to a specific patch format. In distinction from full replacement methods like PUT, where the enclosed entity represents the complete modified version of the resource, PATCH focuses on incremental updates via targeted instructions, making it suitable for scenarios where only portions of the resource need alteration. This semantic difference underscores PATCH's role in enabling efficient, partial resource management without necessitating the transmission of the entire resource state.

Intended Use Cases

The PATCH method is particularly suited for partial updates to large , where only specific fields or sections need modification without requiring the transmission or replacement of the entire representation. For instance, in a managing user profiles, an application might use PATCH to update a single attribute, such as an or phone number, thereby avoiding the inefficiency of resending the full containing biographical details, preferences, and other unchanged data. In bandwidth-constrained environments like mobile applications or (IoT) devices, PATCH minimizes data transfer by conveying only the differential changes, reducing latency and conserving limited network resources compared to methods that demand complete payloads. This approach is especially beneficial for battery-powered devices that frequently synchronize small status updates, such as readings or configuration tweaks, without the overhead of full fetches or replacements. PATCH finds application in versioning systems where full resource replacement via other methods could introduce risks, such as overwriting concurrent modifications or violating optimistic locking mechanisms. By supporting conditional requests (e.g., via If-Match headers), it enables safe, targeted alterations to versioned entities, like appending entries to audit logs or incrementally revising database records without a predefined baseline state. Real-world applications include updating task statuses in management systems, where PATCH allows atomic changes to progress indicators (e.g., from "pending" to "approved") across distributed services without disrupting the broader state. Similarly, in architectures, it facilitates precise configuration modifications, such as adjusting a single in a service's settings, ensuring and reducing inter-service data exchange.

Historical Background

Early Proposals

The development of the HTTP PATCH method began with an initial Internet-Draft authored by Lisa Dusseault in November 2003, titled "HTTP PATCH," which proposed a new method to enable partial modifications to existing resources. This draft addressed the shortcomings of the existing PUT method, which required complete resource replacement and often led to inefficiencies or errors when only specific parts needed updating. The proposal evolved from broader discussions within IETF HTTP working groups dating back to the late 1990s and early 2000s, particularly around extending core HTTP methods (GET, , PUT, DELETE) to better support distributed authoring and versioning protocols like and DeltaV. These conversations highlighted the need for more granular resource manipulation without relying on ad-hoc extensions or overloading existing methods. Key motivations outlined in the early drafts included enabling efficient partial updates in scenarios such as WebDAV-based authoring for large files (e.g., in tools like ), DeltaV versioning for incremental changes across multiple files, and lightweight configuration updates in the SIMPLE working group for presence and systems. A central aim was to support non-idempotent partial modifications—allowing operations that might not be safely repeatable without altering the resource in unintended ways—while avoiding the resource creation side effects typical of POST requests. The draft received initial feedback through the IETF HTTP mailing list, focusing on issues like formats, error responses for unsupported patches (e.g., 501 Not Implemented), and with caching mechanisms. It underwent multiple iterations, including versions 01 through 06 in 2004, which refined semantics and incorporated references to existing delta standards like RFC 3229. After a hiatus, the effort resumed in 2007 with James M. Snell as co-author in draft-07, introducing MIME-based media types for patch documents and addressing prior concerns about encoding flexibility. Further revisions continued through 2009, culminating in draft-16 on November 25, 2009, which incorporated feedback on concurrency handling, status codes, and registry requirements.

Standardization Process

The PATCH method for HTTP was formally standardized in March 2010 through RFC 5789, published as a Proposed Standard by the Internet Engineering Task Force (IETF). Authored by Lisa M. Dusseault and James M. Snell, the document defines PATCH as a method for applying partial modifications to resources, distinguishing it from full replacements via PUT, and specifies its non-safe and non-idempotent semantics as per HTTP/1.1. In 2022, the PATCH method was integrated into the consolidated HTTP semantics specification in RFC 9110, which obsoleted earlier HTTP/1.1 documents and elevated HTTP to status (STD 97). This update affirmed the core definition and usage of PATCH without introducing major changes, maintaining its role in enabling precise resource updates while emphasizing that its semantics depend on the request's . Errata for RFC 5789 have been documented in the IETF datatracker, with a key verified technical (ID 3169) providing clarification on . This specifies that servers should reject PATCH requests using without defined patch semantics—such as generic "application/xml" or "application/"—with a 415 Unsupported response, ensuring predictable . The original RFC already addresses idempotency by stating that repeated identical PATCH requests may produce different results, unlike idempotent methods like PUT. As of 2025, no significant updates to the PATCH specification have occurred since RFC 9110, reflecting its stability within the HTTP protocol family. The method continues to be referenced in modern specifications, including HTTP/3 (RFC 9114), which inherits PATCH semantics from the shared HTTP architecture without alteration.

Comparisons with Other Methods

PATCH versus PUT

The HTTP PUT method requests that the state of the target resource be created or replaced with the state defined by the representation enclosed in the request message payload. In contrast, the PATCH method requests that a set of changes described in the request entity be applied to the resource identified by the request URI, enabling partial modifications without requiring the full resource representation. This semantic difference means PUT performs a complete replacement, treating the enclosed entity as the new version of the entire resource, whereas PATCH provides instructions for targeted alterations to the existing resource state. Regarding idempotency, PUT is defined as idempotent, such that multiple identical requests have the same effect as a single request, with no additional side effects on the server state. PATCH, however, is neither safe nor idempotent in general, as repeating the request may lead to different outcomes depending on the patch format and application (e.g., operations like incrementing a counter). Idempotency for PATCH can be achieved through conditional requests, such as using the If-Match header with ETags, but it is not inherent to the method. In terms of resource handling, PUT requires the client to have complete knowledge of the 's current state to construct the full replacement, which can be inefficient for large or complex resources. PATCH allows clients to send only the necessary changes, avoiding the need to resend unchanged portions and supporting formats like for precise updates. For simple resources or scenarios requiring full , PUT is appropriate, as it ensures the resource matches the client's representation exactly; PATCH is preferable for complex or large resources where partial updates reduce bandwidth and minimize error risks from incomplete state knowledge. Both methods impact caching and versioning similarly in core semantics: a successful PUT or PATCH response (2xx or 3xx status) requires caches to invalidate the effective request URI, as well as any URIs indicated by Location or Content-Location headers (if on the same host).

PATCH versus POST

The HTTP POST method is primarily intended for submitting data to be processed by the target resource according to its specific semantics, such as creating new resources, appending data to existing ones, or triggering server-side operations like form submissions. Unlike other methods, POST is not idempotent, meaning that repeating the same request may result in different outcomes, such as multiple resource creations. The target URI in a POST request identifies the resource responsible for processing the enclosed representation, but it does not necessarily correspond to the location of any newly created resource; instead, the server may assign and return a new URI via the Location header if creation occurs. In contrast, the HTTP PATCH method is designed strictly for applying partial modifications to an existing identified by the request URI, using a patch document that specifies the changes in a standardized format. This direct targeting of the resource URI ensures that PATCH operations modify the specified entity without creating new ones, providing clearer semantics for updates compared to . PATCH promotes interoperability through defined media types for patch documents, whereas lacks a universal standard for such update operations, allowing varied and resource-specific processing. Although POST can sometimes be used to mimic resource updates by processing submitted data to alter an existing entity, this approach lacks semantic precision and may lead to unintended side effects, such as accidental resource creation if the server's processing logic interprets the request that way. PATCH mitigates these risks by explicitly signaling partial modification intent, avoiding the ambiguity inherent in POST's flexible semantics. Historically, the broad applicability of POST for diverse operations, including ad-hoc updates, highlighted the need for a dedicated method to handle precise partial modifications, leading to the formalization of PATCH to improve consistency and reduce reliance on non-standard POST usages.

Mechanics of Patching

Applying Changes to Resources

The PATCH method enables clients to request partial modifications to a resource identified by the Request-URI by sending a patch document in the request entity body, which describes the set of changes to be applied. This document specifies the modifications using a media type that indicates the format of the instructions, allowing the server to process them accordingly. Upon receiving the request, the server interprets the patch document and applies the described changes to the existing resource, potentially creating a new resource if the target URI does not exist, depending on the semantics of the patch format and server policy. Servers bear the responsibility of validating the patch document's format and ensuring its compatibility with the target before attempting to apply any changes. If validation succeeds, the server processes the instructions to generate a new version of the ; successful application typically results in a response containing the updated representation or a status indicating completion, along with relevant headers such as an updated . In cases of failure during application, the server must handle the issue without leaving the in a partially modified state, ensuring graceful recovery to maintain integrity. The application of changes via PATCH is required to be atomic, meaning the server must apply the entire set of modifications or none at all, preventing any exposure of intermediate states to concurrent requests. This atomicity ensures that operations remain reliable even in concurrent environments, though the RFC does not specify mechanisms for distributed transactions across multiple resources. To manage concurrency and avoid overwriting unintended changes, clients should include conditional headers such as If-Match with a strong in the PATCH request, which the server uses to verify that the resource has not been modified since the was obtained. If the fails, the server rejects the request, allowing the client to reconcile conflicts before retrying. This interaction with ETags supports , enhancing the safety of partial updates in collaborative scenarios.

Common Patch Document Formats

The HTTP PATCH method, as defined in RFC 5789, does not mandate a default for the request body, allowing flexibility for various patch document formats tailored to the resource's representation. Instead, servers advertise supported s via the Accept-Patch response header, which lists comma-separated s such as application/example or text/example in hypothetical cases. Clients must specify the appropriate Content-Type header in the PATCH request to indicate the format used. One widely adopted format is Merge Patch, standardized in RFC 7396 with the media type application/merge-patch+json. This format represents modifications as a JSON object that mirrors the structure of the target JSON document, where keys indicate paths to update, new values replace existing ones, and null values signal deletions. For nested objects, the merge recurses deeply, adding absent members and preserving unchanged ones; non-object patches replace the entire target. An example patch to update a might appear as:

{ "name": "Updated Name", "email": null, "address": { "city": "New City" } }

{ "name": "Updated Name", "email": null, "address": { "city": "New City" } }

This would replace the name, remove the email, and update the city while leaving other address fields intact. In contrast, , defined in RFC 6902 with application/json-patch+json, uses an of operation objects for precise, sequential modifications to a document. Each operation includes an "op" field specifying the action—such as "add" (inserts a value at a path), "remove" (deletes at a path), "replace" (overwrites at a path), "move" (relocates from one path to another), "copy" (duplicates from one path to another), or "test" (verifies a value at a path)—along with a "path" using JSON Pointer notation (RFC 6901) and, where required, "value" or "from" fields. Operations apply in order, halting on errors like invalid paths. A sample could be:

[ {"op": "replace", "path": "/name", "value": "Updated Name"}, {"op": "remove", "path": "/email"}, {"op": "add", "path": "/address/city", "value": "New City"} ]

[ {"op": "replace", "path": "/name", "value": "Updated Name"}, {"op": "remove", "path": "/email"}, {"op": "add", "path": "/address/city", "value": "New City"} ]

This achieves similar results to the merge patch but offers finer control, such as conditional tests or rearrangements. For XML-based resources, XML Patch provides a structured approach in RFC 7351, using media type application/xml-patch+xml. The format consists of a root

element containing sequential , , or operations, each targeting locations via XPath selectors (building on RFC 5261). Additions can insert attributes or elements, removals delete specified nodes, and replacements swap content, all applied in document order to modify the target XML. For instance:

xml

<patch xmlns:p="urn:ietf:rfc:7351"> <p:add sel="/user/@status">active</p:add> <p:replace sel="/user/email">[email protected]</p:replace> <p:remove sel="/user/old-field"/> </patch>

<patch xmlns:p="urn:ietf:rfc:7351"> <p:add sel="/user/@status">active</p:add> <p:replace sel="/user/email">[email protected]</p:replace> <p:remove sel="/user/old-field"/> </patch>

This updates an attribute, replaces an element's text, and removes a node. Beyond these standardized formats, servers may define custom patch document types, registered under unique media types, to suit specific application needs, as long as they align with the Accept-Patch advertisement mechanism in RFC 5789. Such custom formats enable domain-specific operations but require explicit client-server agreement for interoperability.

Practical Examples

Basic HTTP PATCH Request

A basic HTTP PATCH request applies partial modifications to a specific resource identified by the Request-URI, using a patch document in the request body to describe the changes. Unlike methods such as PUT, which replace the entire resource, PATCH enables targeted updates without resending the full resource representation. The patch document's format is specified via the Content-Type header, allowing servers to parse and apply the instructions atomically—meaning either all changes succeed or none are applied. Consider a simple example where a client updates a single field in a user resource at /user/123. The request uses a basic text/plain format for the patch document. Note that there is no standardized format for text/plain patch documents; this is a simple illustrative example assuming server-specific parsing of key-value pairs like "name=" to modify the user's name. The request includes the If-Match header with an for conditional application, ensuring the update only proceeds if the resource has not been modified concurrently.

PATCH /user/123 HTTP/1.1 Host: example.com Content-Type: text/plain If-Match: "abc123" Content-Length: 13 name=John Doe

PATCH /user/123 HTTP/1.1 Host: example.com Content-Type: text/plain If-Match: "abc123" Content-Length: 13 name=John Doe

Upon successful application, the server responds with a 200 OK status, potentially including the updated resource in the body, or a 204 No Content status if no body is returned. The response may also include an updated ETag header reflecting the new resource state.

HTTP/1.1 200 OK Content-Type: application/json ETag: "def456" Content-Length: 55 {"id":123,"name":"John Doe","email":"[email protected]"}

HTTP/1.1 200 OK Content-Type: application/json ETag: "def456" Content-Length: 55 {"id":123,"name":"John Doe","email":"[email protected]"}

The process begins with the client targeting the resource URI, such as /user/123, to specify which to modify. The server then parses the body according to the declared Content-Type, interpreting the text/plain content as instructions to update the indicated fields. Finally, the server validates any preconditions (e.g., via If-Match), applies the changes if valid, and returns the appropriate response status. This basic approach provides an introductory illustration, while more structured formats like offer advanced operations for complex scenarios.

JSON Patch Example

JSON Patch, as specified in RFC 6902, uses a JSON array of operation objects to describe changes to a target JSON document. Each operation includes an "op" member indicating the action (such as "add", "replace", or "remove"), a "path" member using JSON Pointer syntax from RFC 6901 to locate the target, and optionally a "value" member for the new data. The media type for these documents is application/json-patch+json. Consider a sample target resource at /resource/456, represented as the following JSON object:

{ "name": "Original Name", "tags": [] }

{ "name": "Original Name", "tags": [] }

A corresponding HTTP PATCH request to apply modifications might use the body:

[ {"op": "replace", "path": "/name", "value": "New Name"}, {"op": "add", "path": "/tags", "value": ["new"]} ]

[ {"op": "replace", "path": "/name", "value": "New Name"}, {"op": "add", "path": "/tags", "value": ["new"]} ]

This request is sent as PATCH /resource/456 HTTP/1.1 with the header Content-Type: application/json-patch+json. The "replace" operation updates the value at /name to "New Name", overwriting the existing string. The "add" operation replaces the value at /tags with ["new"]. Since /tags points to an array, this replaces the entire array; for an empty array, it sets the array to contain "new". To append to an existing array without replacing it, use path "/tags/-". If the path did not exist, "add" would create the member. Upon successful application, the server responds with HTTP status 200 OK and the updated resource in the body:

{ "name": "New Name", "tags": ["new"] }

{ "name": "New Name", "tags": ["new"] }

For validation before modification, the "test" operation can verify a value at a path matches an expected one, such as {"op": "test", "path": "/name", "value": "Original Name"}; failure halts processing and returns an error like 422 Unprocessable Entity. Common pitfalls in JSON Patch include incorrect path resolution, where unescaped special characters in keys (like ~ or /) must be percent-encoded per JSON Pointer rules (e.g., /~1/ for /), leading to failed operations if mishandled. Array indexing starts at 0 (e.g., /tags/0 for the first element), and using negative indices or non-integer paths on arrays causes errors; the special index "-" appends to arrays but is invalid for object paths.

Advantages and Trade-offs

Benefits over Alternatives

The HTTP PATCH method offers significant efficiency advantages over alternatives like PUT by enabling partial updates to a , where only the modified portions are transmitted in the request body rather than the entire representation. This reduction in size minimizes bandwidth usage and decreases overhead on both client and server sides, particularly beneficial for large resources or high-latency networks. For instance, updating a single field in a voluminous document via PATCH avoids the redundancy of resending unchanged data, as required by PUT, leading to faster request completion times. PATCH provides semantic clarity by explicitly signaling the intent to perform a partial modification, distinguishing it from PUT (full replacement) or POST (creation or non-standard actions), which enhances API design and documentation practices. This clear delineation allows developers to define precise contracts for resource updates, reducing ambiguity in how endpoints should behave and making more intuitive for consumers. In RESTful architectures, using PATCH for partial changes promotes consistent method usage, facilitating better tooling, testing, and maintenance. The flexibility of PATCH stems from its support for diverse patch document formats and operation types, accommodating complex modifications beyond simple field replacements. Standardized formats like enable operations such as adding, removing, replacing, moving, copying, or testing values within a , applied sequentially to achieve atomic or multi-step updates. This adaptability suits varied data structures and application needs, such as reordering array elements or conditional validations, without relying on custom POST endpoints.

Potential Drawbacks

One significant drawback of the HTTP PATCH method is its lack of inherent idempotency, meaning that repeating the same PATCH request multiple times may result in different outcomes as changes can accumulate on the . Unlike PUT, which replaces the entire and thus remains unchanged upon repetition, PATCH requires developers to design requests carefully, often using conditional headers like If-Match with ETags to achieve idempotent behavior and avoid unintended modifications. This non-idempotent nature can complicate retry logic in distributed systems, potentially leading to data inconsistencies if network failures occur during application. Server implementations of PATCH exhibit variability due to the absence of uniform rules for applying patch documents, resulting in inconsistent behavior across different services. The method supports multiple patch formats without a default, such as or custom media types advertised via the Accept-Patch response header, which demands that clients and servers negotiate compatible formats explicitly. This flexibility, while enabling diverse use cases, often leads to issues, as servers must process changes atomically but may interpret partial updates differently based on their specific logic. The complexity of structured patch formats like further exacerbates implementation challenges compared to simpler methods such as PUT. Patch requires parsing and sequentially applying a series of operations (e.g., add, replace, remove) using JSON Pointers to target specific paths, which introduces additional client-side and server-side logic for validation and error handling. A failure in any single operation halts the entire patch, demanding robust testing to ensure sequential integrity, unlike the straightforward full replacement of PUT. Adoption barriers persist for PATCH, particularly in legacy systems, as the method was only standardized in 2010 and remains optional in some older web servers and frameworks. Prior to this, PATCH was not universally supported, and even as of , environments running outdated software—such as pre-2012 versions of or certain embedded systems—may lack native handling, forcing developers to fall back to or PUT for partial updates. This uneven support hinders seamless integration in heterogeneous infrastructures.

Implementation Considerations

Server-Side Handling

When processing an HTTP PATCH request, servers must first parse the request body, which contains a patch specifying partial modifications to the target resource. The server verifies the Content-Type header to ensure the document uses a supported , such as application/json-patch+json for operations. If the document is malformed or syntactically invalid, the server responds with a 400 Bad Request status code. For unsupported media types, it returns 415 Unsupported Media Type and should include an Accept-Patch response header listing the supported formats to guide clients. Validation extends to semantic checks, ensuring the proposed changes are applicable to the resource's current state. Servers should evaluate preconditions, such as the If-Match header with an ETag value, to confirm the resource has not been modified concurrently; failure triggers a 412 Precondition Failed response, promoting idempotency and preventing lost updates. The changes are then applied atomically—either all succeed or none do—to maintain resource consistency, though the method may produce side effects on related resources. Upon successful application, servers typically respond with 200 OK, including the full updated resource representation in the body to allow clients to verify the outcome, or 204 No Content if no body is needed. Error conditions, such as resource conflicts yielding 409 Conflict, ensure reliable handling without partial updates. Best practices include advertising PATCH support via the Accept-Patch header in OPTIONS responses, enabling clients to query compatible formats proactively. Servers should log patch operations, including the original and updated resource states, timestamps, and actor identifiers, to facilitate auditing and compliance with security policies. This logging aids in tracking modifications without altering the core protocol semantics. The PATCH method integrates seamlessly with HTTP/1.1, , and , as it relies on standard request-response semantics without version-specific adaptations; multiplexing in and QUIC transport in enhance performance for concurrent PATCH operations but require no additional server logic.

Client-Side Usage

Clients construct HTTP PATCH requests by specifying the target resource's URI in the request line, selecting an appropriate patch document format such as or JSON Merge Patch, and including the patch operations in the request body. The Content-Type header must indicate the chosen format, for example, application/json-patch+json for documents, while the PATCH method ensures partial updates without replacing the entire resource. To support conditional requests and prevent overwrites, clients often include headers like If-Match with an value to verify the resource's current state, or If-None-Match to apply the patch only if the resource has changed since last accessed. For robustness, clients implement fallback strategies by first probing the server's capabilities using an OPTIONS request to the resource URI, checking the Accept-Patch response header for supported media types; if PATCH is unsupported or the desired format is absent, the client reverts to a PUT request for full resource replacement. This probing aligns with HTTP's extensibility model, allowing graceful degradation in heterogeneous environments. In popular libraries, client-side PATCH usage simplifies construction and handles asynchronous responses. For instance, in JavaScript with Axios, a PATCH request is sent via axios.patch('/resource/1', { op: 'replace', path: '/name', value: 'New Name' }, { headers: { 'If-Match': etag } }), which returns a Promise resolving to the server's response or error. Similarly, in Python's requests library, clients use requests.patch('https://api.example.com/resource/1', json=[{"op": "replace", "path": "/name", "value": "New Name"}], headers={'If-Match': etag}), managing sessions for authentication and retries on transient failures. These frameworks abstract low-level details like header serialization while supporting async patterns for non-blocking operations. Testing PATCH requests typically involves command-line tools like curl to simulate client behavior and verify outcomes. A basic curl command might be curl -X PATCH -H "Content-Type: application/json-patch+json" -H "If-Match: "abc123"" -d '[{"op":"replace","path":"/name","value":"Updated"}]' https://api.example.com/resource/1, expecting a 2xx status for success or 4xx/5xx for issues like conflicts. Clients monitor responses for status codes, ensuring 200 OK or 204 No Content indicates successful partial application, while logging headers like ETag in the response for subsequent conditional requests.

Error Handling

Malformed Patch Documents

A malformed patch document in an HTTP PATCH request refers to a body that fails to parse correctly due to invalid syntax or structural errors, such as non-compliant in a document or incorrect formatting of operations. According to RFC 5789, this occurs when the server cannot interpret the provided patch document as properly formatted, preventing any partial application of changes. When encountering a malformed patch document, servers should respond with a 400 Bad Request status code, as recommended in RFC 5789, and include descriptive error details in the response body where feasible to aid client debugging. This status indicates that the request is syntactically invalid, ensuring no modifications are attempted on the target resource. For specifically, RFC 6902 mandates that evaluation of the document terminates immediately upon detecting a violation of normative requirements, rendering the entire patch unsuccessful without proceeding further. Servers are advised to reject malformed documents early in processing to avoid unintended side effects, validating the body against the expected format (e.g., syntax or operation structure) before any resource interaction. Clients, upon receiving a response, should correct the syntax or structure issues in the patch document and retry the request, potentially using tools like validators to ensure compliance. Common examples include syntax errors in , such as invalid JSON Pointer paths that do not conform to RFC 6901 (e.g., a path like "/users/0/name~" missing proper escaping for special characters) or operations with duplicate "op" members (e.g., specifying both "add" and "remove" in the same object). Another case is a malformed array of operations where an entry lacks required fields like "path" or "value," causing parsing to fail. For instance:

[ { "op": "replace", "path": /invalid, // Invalid JSON Pointer syntax "value": "new value" } ]

[ { "op": "replace", "path": /invalid, // Invalid JSON Pointer syntax "value": "new value" } ]

Such errors halt processing atomically, distinguishing them from semantically unsupported formats that may still parse but cannot be applied.

Unsupported Patch Formats

When a client submits an HTTP PATCH request with a patch document whose media type is not supported by the server, the server rejects the request due to the inability to process the specified format. This occurs when the Content-Type header in the request does not match any of the media types advertised by the server in its Accept-Patch response header, such as a custom or non-standard patch format that the server does not recognize. In response, the server returns a 415 Unsupported status code to indicate that the payload format is unacceptable. To assist the client, the server should include an Accept-Patch header in the 415 response, listing the supported media types (e.g., application/ or application/merge-patch+) as alternatives for retrying the operation. To prevent such errors, clients are recommended to first send an OPTIONS request to the target resource to retrieve the server's Accept-Patch header and confirm supported formats before issuing the PATCH. Servers, in turn, must clearly advertise their capabilities via this header in OPTIONS responses, ensuring transparency about acceptable patch document media types. This mismatch in format support has significant implications for API interactions, as it prohibits partial resource updates via PATCH and may compel clients to fall back to full resource replacement methods like PUT, potentially increasing bandwidth usage and risking overwrites of unchanged data.

Unprocessable Requests

In HTTP PATCH requests, unprocessable requests occur when the patch document is syntactically valid and the server understands its content type, but the proposed changes cannot be applied due to semantic invalidity specific to the resource, such as attempting to modify an immutable field or introducing a type mismatch that violates the resource's . This scenario is an extension of concepts from protocols, where instructions are well-formed but semantically erroneous, rendering them inapplicable without altering the resource's integrity. The standard HTTP response for such cases is the 422 Unprocessable Entity status code, which signals that the server recognizes the request's structure but deems the content unprocessable. The response body should include detailed error information to aid client correction, such as descriptions of the invalid operations or affected fields, often in a format like with error codes and messages. For instance, if a PATCH attempts to set a read-only property like a resource's creation , the server returns 422 with an explanation like {"error": "Cannot modify immutable field: created_at"}. Representative examples include trying to append an item to a non-extensible defined in the resource's , which would violate structural constraints, or submitting a value for a numeric field, triggering a type mismatch error. Another case arises when the patch violates application-specific business rules, such as updating a user's age to a negative value in a system enforcing positive integers only. This differs from a 400 Bad Request response, which addresses syntactic malformations in the request itself, whereas 422 specifically denotes valid coupled with unapplyable logic due to semantics. As noted in malformed patch document handling, 422 applies only after validation succeeds.

Resource Not Found

When a PATCH request targets a URI that identifies a non-existent , the server encounters a situation where the partial modifications specified in the request cannot be applied due to the absence of the target. In such cases, the server typically rejects the request rather than automatically creating the , as PATCH is intended for modifying existing resources rather than initiating new ones. This behavior aligns with the method's semantics, distinguishing it from , which is designed for creation. The standard HTTP response for this scenario is a 404 Not Found status code, indicating that the server cannot locate the requested resource to apply the patch. According to RFC 5789, this code is appropriate when the patch document cannot be applied to a non-existent resource, ensuring clear communication of the error to the client. Servers are permitted to create a new resource in response to a PATCH request if the URI does not correspond to an existing one, but this is optional and depends on the specific patch document type and server policy; however, such creation is generally discouraged to maintain the distinction between modification and creation operations. To mitigate issues with non-existent resources, best practices recommend that clients verify the resource's existence prior to issuing a PATCH request. This can be achieved using a HEAD request, which checks for the resource without retrieving its full representation, or a GET request to confirm availability and potentially retrieve the current state for comparison. Such pre-checks help prevent unnecessary errors and align with RESTful principles for safe and idempotent operations.

Conflicting States

In HTTP PATCH operations, conflicting states arise when the patch document presupposes a specific condition or state of the target resource that no longer holds true, such as a failed "" operation in or a violation of a tied to the resource's current attributes. This mismatch prevents safe application of the changes without risking data inconsistency or unintended modifications. Servers handling such conflicts typically return an HTTP 409 Conflict status code to indicate that the request cannot proceed due to the resource's state. To facilitate resolution, the response should include details about the current resource state—such as its representation in the body—or versioning information like an header, enabling the client to understand and address the discrepancy. Common examples include the "test" operation in (RFC 6902), where the operation verifies if a value at a specified path matches an expected value; failure here aborts the entire patch and triggers the conflict response, as the subsequent operations rely on that precondition. Another scenario involves version mismatches, where the client's patch assumes an outdated resource version, often detected via application-specific checks rather than HTTP preconditions, leading to the same 409 response. Upon receiving a 409 Conflict, the standard resolution involves the client issuing a fresh GET request to obtain the resource's updated state, revising the patch document accordingly, and retrying the PATCH request. This approach ensures idempotency and maintains without requiring complex locking mechanisms.

Concurrent Modifications

Concurrent modifications arise in HTTP PATCH operations when multiple clients attempt to update the same resource simultaneously, potentially leading to one client's changes overwriting another's without detection. This "lost update" problem typically occurs if a client retrieves the resource state via GET, another client modifies it in the interim, and the first client then applies a PATCH based on the outdated state, resulting in unintended overwrites or . To prevent such issues, servers implement optimistic concurrency control using entity tags (ETags), which serve as opaque identifiers for the resource's current state. Clients include the ETag received from a prior GET request in the If-Match header of the subsequent PATCH request, ensuring the update applies only if the resource has not changed. If the ETag matches, the PATCH proceeds; otherwise, the server rejects the request to avoid overwriting concurrent changes. Versioning headers, such as custom version numbers, can provide similar functionality but ETags are the standard mechanism in HTTP. Upon detecting a concurrent modification, servers respond with appropriate status codes to signal the conflict. A failed , such as an mismatch in the If-Match header, results in a 412 Precondition Failed response, prompting the client to retrieve the updated resource and retry. Without preconditions, or for broader state conflicts from concurrent updates, a 409 Conflict response is used, indicating the request cannot proceed due to the resource's current state. Pessimistic locking, which involves acquiring exclusive locks on resources during updates, is rare in HTTP due to its stateless nature and is generally avoided in favor of optimistic approaches like conditional requests. This design prioritizes scalability and availability, allowing concurrent reads while detecting write conflicts at submission time.

Security Considerations

Vulnerability Risks

One significant vulnerability risk associated with HTTP PATCH requests is over-posting, also known as mass assignment, where clients can submit unintended fields in the patch document, potentially modifying sensitive server-side properties if input validation is not strictly enforced. This occurs because PATCH allows partial updates via formats like Merge Patch, enabling attackers to include extraneous properties that directly to model objects without filtering. For instance, an attacker might administrative flags or escalate privileges by injecting fields like "isAdmin: true" into a update. The API Security Top 10 identifies this as a prevalent issue in APIs, where automatic binding of client parameters to internal objects exposes sensitive data without proper allowlisting or blacklisting of properties. PATCH requests are susceptible to cross-site request forgery (CSRF), which can lead to unauthorized state changes if anti-CSRF protections are absent. Unlike safe methods such as GET, PATCH modifies resources, making it an "unsafe" operation under RFC 9110, and browsers may automatically include credentials in cross-origin requests, allowing malicious sites to forge updates on behalf of authenticated users. This risk is heightened in web applications where PATCH endpoints handle sensitive modifications, such as profile changes, without requiring unique tokens. The Cross-Site Request Forgery Prevention Cheat Sheet emphasizes that state-changing methods like PATCH necessitate CSRF tokens to validate request authenticity, as the method's partial update semantics do not inherently prevent forgery. Denial-of-service (DoS) attacks can exploit PATCH by sending complex payloads that consume excessive server resources during processing. For example, JSON Patch documents with deeply nested operations or large arrays of modifications (per RFC 6902) may trigger high CPU usage or memory exhaustion if servers lack limits on operation depth or payload size. Flooding endpoints with such requests, known as HTTP PATCH floods, overwhelms application servers by forcing repeated parsing and validation. Microsoft documentation on JSON Patch in ASP.NET Core notes inherent security risks in the standard, including potential resource exhaustion from unmitigated complex operations, underscoring the need for implementation-specific bounds. Additionally, specialized DoS vectors target JSON parsing in PATCH bodies, amplifying impact on vulnerable parsers. Injection risks arise when malicious payloads in PATCH bodies exploit vulnerabilities in content parsers or deserializers, potentially leading to code execution or . In particular, server-side prototype pollution can occur if JSON-based patches (e.g., merge patches) are applied without sanitization, allowing attackers to inject properties like "proto" to pollute global object prototypes and alter application behavior. This is feasible in languages like where PATCH updates involve dynamic object merging. PortSwigger's research on server-side prototype pollution highlights how such injections via update endpoints, including partial ones like PATCH, can enable remote code execution by manipulating shared prototypes. further classifies these as injection flaws when untrusted input in request bodies evades proper escaping.

Mitigation Strategies

To mitigate security risks in HTTP PATCH implementations, robust input validation is essential to prevent injection attacks and unauthorized modifications. Developers should employ allowlist-based validation, restricting patch documents to predefined fields and operations that align with the resource's schema, such as using JSON Schema for partial updates. For specifically, paths must be sanitized to ensure they reference valid locations within the target resource, terminating evaluation if they violate normative requirements like prohibiting self-referential moves. This approach enforces syntactic and semantic checks early in the request processing pipeline, logging any discrepancies as high-severity events to detect potential tampering. Authentication and authorization mechanisms must be finely tuned for PATCH requests to protect against unauthorized access. Enforce per-field permissions using (ABAC), where users are granted minimum privileges based on roles, attributes, and context, ensuring that only permitted fields can be modified. Additionally, all PATCH endpoints should mandate to encrypt payloads in transit, safeguarding sensitive data like authentication credentials and partial updates from interception. This deny-by-default policy, combined with validation on every request, prevents broken object level authorization vulnerabilities. Rate limiting serves as a critical defense against denial-of-service (DoS) attacks targeting PATCH endpoints, which can be resource-intensive due to partial . Implement limits on request frequency, such as capping operations at 10 per minute per IP or session, and extend this to by restricting the total operations or size in a single patch . For instance, GraphQL-like partial updates can be bounded by a complexity score derived from the number of fields affected, blocking excessive requests to maintain service availability. These controls should escalate responses, from warnings to temporary blocks, based on violation patterns. Comprehensive auditing enhances traceability and incident response for PATCH operations. Log all patch attempts with full context, including the user identity, source IP, timestamp, affected resource, operation details (e.g., added/removed fields), and outcome (success or failure), using structured formats like for easy parsing. To ensure , incorporate conditional headers such as If-Match with ETags in responses, allowing clients to verify the resource version before applying changes and logging mismatches to detect concurrent modification attempts. Regular review of these logs, as per standards like NIST SP 800-92, aids in compliance and .

References

  1. https://datatracker.ietf.org/doc/html/rfc5789
  2. https://datatracker.ietf.org/doc/html/rfc7396
  3. https://datatracker.ietf.org/doc/html/rfc6902
  4. https://www.rfc-editor.org/rfc/rfc5789.html
  5. https://datatracker.ietf.org/doc/rfc5789/
  6. https://www.baeldung.com/http-put-patch-difference-spring
  7. https://apidog.com/blog/http-patch-method/
  8. https://www.baeldung.com/spring-rest-json-patch
  9. https://stackoverflow.com/questions/28459418/use-of-put-vs-patch-methods-in-rest-api-real-life-scenarios
  10. https://lists.w3.org/Archives/Public/ietf-http-wg/2004AprJun/0086.html
  11. https://datatracker.ietf.org/doc/html/draft-dusseault-http-patch-03
  12. https://datatracker.ietf.org/doc/html/draft-dusseault-http-patch-07
  13. https://datatracker.ietf.org/doc/html/draft-dusseault-http-patch-16
  14. https://datatracker.ietf.org/doc/html/rfc5789#section-3
  15. https://datatracker.ietf.org/doc/html/rfc9110
  16. https://datatracker.ietf.org/doc/html/rfc9110#section-9.6
  17. https://www.rfc-editor.org/errata/eid3169
  18. https://www.rfc-editor.org/rfc/rfc9114.html#section-4.1
  19. https://datatracker.ietf.org/doc/html/rfc7231#section-4.3.4
  20. https://www.rfc-editor.org/rfc/rfc5789.html#section-2
  21. https://datatracker.ietf.org/doc/html/rfc7231#section-4.2.2
  22. https://datatracker.ietf.org/doc/html/rfc7234#section-4.4
  23. https://www.rfc-editor.org/rfc/rfc9110.html#section-9.3.3
  24. https://www.rfc-editor.org/rfc/rfc9110.html#section-9.2.2
  25. https://datatracker.ietf.org/doc/html/rfc5789#section-1
  26. https://datatracker.ietf.org/doc/html/rfc5789#section-2
  27. https://datatracker.ietf.org/doc/html/rfc5789#appendix-A
  28. https://datatracker.ietf.org/doc/html/rfc7351
  29. https://datatracker.ietf.org/doc/html/rfc6901
  30. https://treblle.com/blog/rest-api-endpoint-design-guide
  31. https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Methods/PATCH
  32. https://learn.microsoft.com/en-us/azure/architecture/best-practices/api-implementation
  33. https://http.dev/2
  34. https://datatracker.ietf.org/doc/html/rfc5789/
  35. https://datatracker.ietf.org/doc/html/rfc5789#section-2.2
  36. https://datatracker.ietf.org/doc/html/rfc5789#section-3.1
  37. https://datatracker.ietf.org/doc/html/rfc4918#section-11.2
  38. https://datatracker.ietf.org/doc/html/rfc4918#section-9.6
  39. https://learn.microsoft.com/en-us/azure/architecture/best-practices/api-design
  40. https://datatracker.ietf.org/doc/html/rfc9110#section-13.1
  41. https://datatracker.ietf.org/doc/html/rfc9110#section-13.1.1
  42. https://datatracker.ietf.org/doc/html/rfc9110#section-8.8.3
  43. https://datatracker.ietf.org/doc/html/rfc9110#section-15.5.12
  44. https://datatracker.ietf.org/doc/html/rfc9110#section-15.5.5
  45. https://datatracker.ietf.org/doc/html/rfc5789#section-7
  46. https://owasp.org/API-Security/editions/2019/en/0xa6-mass-assignment/
  47. https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
  48. https://learn.microsoft.com/en-us/aspnet/core/web-api/jsonpatch?view=aspnetcore-9.0
  49. https://kb.mazebolt.com/knowledgebase/http-patch-flood/
  50. https://portswigger.net/web-security/prototype-pollution/server-side
  51. https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
  52. https://datatracker.ietf.org/doc/html/rfc6902#section-7
  53. https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html
  54. https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html
  55. https://developers.cloudflare.com/waf/rate-limiting-rules/best-practices/
  56. https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html
  57. https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Conditional_requests
  58. https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-92.pdf
Add your contribution
Related Hubs
Contribute something
User Avatar
No comments yet.