POST request to pages returns 200 or 404

[prestonwordsworth]

When we send a POST request to a regular page via cURL with no data/body, we get 200 and a response containing the page content just as we would with GET.

When we send POST requests with arbitrary data, however, we get either 404 or 200 depending on the request body.

Is this an inconsistency to be fixed or just undocumented, but intended, behaviour?

[abcd95]

Hey @prestonwordsworth, Thanks for bringing this up!

While I would be able to suggest better if the data being sent was provided, with the information given, I can see that the behavior you're observing is the expected implementation.

Empty POST requests are treated as GET requests, returning a 200 status with page content. When POST requests include data, WordPress attempts to find a registered handler for that data pattern. With a matching handler, it returns 200, otherwise 404.

It's working as designed, though I agree with you that it could be better documented.

[prestonwordsworth]

This is very helpful to know – thank you @abcd95!

Empty POST requests are treated as GET requests, returning a 200 status with page content.

If this is intended to be used for cache invalidation, I hope there’s a way to prevent POST flood cache bypass attacks.

[pmbaldha]

As the page responses are not handled by the HTTP API, I am closing this ticket as invalid.

[swissspidy]

Removing milestone from closed ticket.