Recommended

no-request-body

Formats:

Severity:

HTTP GET and DELETE operations should not accept request bodies according to HTTP semantics and best practices.

While the HTTP specification doesn’t strictly forbid request bodies for GET and DELETE requests, they are considered bad practice because:

Many HTTP clients, proxies, and servers may strip out or ignore the body
GET requests should be idempotent and side-effect free - they retrieve data, not send it
DELETE requests identify resources to delete via the URI, not the body
It violates the principle of least surprise for API consumers

Why did this violation appear?

Your OpenAPI specification contains a GET or DELETE operation that has a requestBody defined. This goes against HTTP best practices and may cause interoperability issues.

What is this rule checking for?

This rule scans all path operations in your OpenAPI specification and checks that:

GET operations do not have a requestBody defined
DELETE operations do not have a requestBody defined

Bad examples

paths:
  /users/{id}:
    get:
      summary: Get user details
      operationId: getUser
      parameters:
        - name: id
          in: path
          required: true
          schema:
            type: string
      requestBody:  # ❌ GET should not have a request body
        required: true
        content:
          application/json:
            schema:
              type: object
              properties:
                includeDetails:
                  type: boolean
      responses:
        '200':
          description: User details

paths:
  /users/{id}:
    delete:
      summary: Delete a user
      operationId: deleteUser
      parameters:
        - name: id
          in: path
          required: true
          schema:
            type: string
      requestBody:  # ❌ DELETE should not have a request body
        required: true
        content:
          application/json:
            schema:
              type: object
              properties:
                reason:
                  type: string
      responses:
        '204':
          description: User deleted

Good examples

paths:
  /users/{id}:
    get:
      summary: Get user details
      operationId: getUser
      parameters:
        - name: id
          in: path
          required: true
          schema:
            type: string
        - name: includeDetails  # ✅ Use query parameters instead
          in: query
          required: false
          schema:
            type: boolean
      responses:
        '200':
          description: User details

paths:
  /users/{id}:
    delete:
      summary: Delete a user
      operationId: deleteUser
      parameters:
        - name: id
          in: path
          required: true
          schema:
            type: string
        - name: reason  # ✅ Use query or header parameters if needed
          in: query
          required: false
          schema:
            type: string
      responses:
        '204':
          description: User deleted

How do I fix this violation?

Remove the requestBody from your GET and DELETE operations. If you need to send additional data:

For GET operations:

Use query parameters for filtering, sorting, or requesting specific fields
Use path parameters to identify resources
Use headers for metadata like authorization or content negotiation

For DELETE operations:

Use path parameters to identify the resource to delete
Use query parameters for optional delete options (like cascade delete)
Use headers for conditional deletes (If-Match, etc.)

If you absolutely must send complex data that doesn’t fit in parameters:

For GET-like operations, consider using POST with a clear action name (e.g., /users/search)
For DELETE-like operations with complex criteria, consider POST with an action (e.g., /users/bulk-delete)

operation-parameters - Ensures operation parameters are properly defined
path-params - Validates path parameter usage