When QA engineers test software, they use all possible methods and tools that, of course, have some rules. Regarding HTTP methods, most programmers know the most common requests, and only some of them use requests that are infrequent but still effective.
Further, we will talk about these methods specifically.
This is an original request that returns methods allowed for each particular endpoint. For example, you have some URL and you can use it to get a list of internal links. Methods that this request will return will be GET / POST.
So, let’s have a look at a simple example. We will use Restful-Booker API to test the functioning of the OPTIONS method. We’ll create a new GET request that can call the following link: https://restful-booker.herokuapp.com/booking. When a tester runs this request, he/she can see all the current bookings in this hotel.
Now, we can change the method from GET to OPTIONS. Then, we’ll see GET, POST, and HEAD in a response body. It means that only these 3 methods are available for this particular endpoint.
During the API testing, this is the most effective way to see if there are valid endpoints that users don’t know about. Moreover, you can see information about parameters of testing the hidden functionality, and detect potential vulnerabilities of web security. For example, there may be a situation when customer API shouldn’t have the DELETE method, but someone has implemented it unintentionally.
As an example, we’ll use the same URL that we used with the previous method. First of all, we’ll change the method to GET.
We run a request and get the response body with the list of all available bookings. Analyze the response headers: Server, X-powered-by, Connection, Date, and Via.
Then, we can change the method to HEAD and re-run the request. Most likely, we’ll get an empty response body, but 8 headers may also return.
With this method, you can test headers of GET requests without receiving information (data) inside the response body. Headers are extremely important because they help set necessary security rules. If a user knows what headers should return through API, there is an opportunity to run this method on all endpoints.
This method can establish a special tunnel to a server specified by the URL. Besides, sometimes, it is used to establish proxy connections.
To illustrate the example of using the CONNECT method, we’ll use cURL. A user can easily check if cURL is installed on a PC just by entering curl-version in a command line. If there is a version in a response, curl is installed.
To use the CONNECT method, you have to enter the following request in the command line: curl -vCONNECThttp:///kristinjackvony.com.
In about the 9th line, you’ll see such a message “301 Moved Permanently”. This means that the URL has been changed previously and there will be redirection.
You can use this method if you want to see what happens when you connect to an HTTP resource. This action can help with security testing and proxy usage.
In conclusion, it is worth noting that the usage of infrequent HTTP methods helps to generate good and effective test ideas when providing software testing services. Hence, there is a big chance that the product under test will be checked as thoroughly as possible from the technical side.