HTTP Verb Tunnelling
What is it?
HTTP verb tunnelling (sometime called HTTP method override) is actually hack. This is provided to solve situation where web application running behind strict-policy firewall which only allows GET and POST request.
To allow PUT, DELETE, OPTIONS, PATCH method to be used, developer can use POST method and
X-Http-Method-Override request header set to appropriate method as shown in following snippet,
POST /delete HTTP/1.1 Host: myapp.fano X-Http-Method-Override: DELETE
In example above,
http://myapp.fano/delete is assumed only handle DELETE request. Using apropriate header value, client can send as POST request which will be translated as DELETE request.
Using HTTP verb tunnelling in Fano Framework
To allow HTTP verb tunnelling, you need to use
TVerbTunnellingDispatcher class as shown in following example code,
function TAppServiceProvider.buildDispatcher( const ctnr : IDependencyContainer; const routeMatcher : IRouteMatcher; const config : IAppConfiguration ) : IDispatcher; begin ctnr.add( GuidToString(IDispatcher), TVerbTunnellingDispatcherFactory.create( TSimpleDispatcherFactory.create( routeMatcher, TRequestResponseFactory.create() ) ) ); result := ctnr[GuidToString(IDispatcher)] as IDispatcher; end;
Using this type of dispatcher, when Fano Framework receives POST request with
X-Http-Method-Override header set, it uses verb set in header value instead.
This new verb is tested against known HTTP verb (GET, POST, PUT, DELETE, PATCH, OPTIONS, HEAD).
If not one of allowed methods,
EInvalidMethod exception is raised.
If you need to use this, you need to understand security implication of HTTP verb tampering issue.