Which HTTP methods require a body?

From your comments I get you're writing an HTTP client library (why, aren't there enough?) and you want to allow for a generic request(method, url[, data]) method. You want to know for what method the data is either required or forbidden.

Just assume the user of your library knows what they're doing. If I want to send a body with a GET request I can, because the spec doesn't forbid that. So why should your library?

Furthermore the HTTP spec is open in this; an extension to HTTP (like WebDAV) can specify new methods (verbs) that do or don't allow or even require a message body.

I think the current effort can better be spent on more important parts.

I'm going to answer this:

1. From the perspective of request-bodies, not response-bodies, as that is what is asked, and of most interest.
2. In terms of when the body is required, and when it is forbidden.

No request is required to include a body, although the absence of a body might be interpreted as an empty body or one of zero length.

RFC2616 4.3 states:

4.3 Message Body The rules for when a message-body is allowed in a message differ for requests and responses.

...

A message-body MUST NOT be included in a request if the specification of the request method (section 5.1.1) does not allow sending an entity-body in requests.

Going through the methods in 5.1.1 (excluding any extension-methods) you will find:

9.8 TRACE

...

A TRACE request MUST NOT include an entity.

So technically any of the other request methods:

OPTIONS
GET
HEAD
POST
PUT
DELETE
CONNECT

... could include a body. Back to 4.3:

if the request method does not include defined semantics for an entity-body, then the message-body SHOULD be ignored when handling the request.

So in-response to an unexpected entity-body for a particular method or resource, it is safe to ignore it and respond, including the response-code, as if the body was not sent.

Reference: RFC2616 Hypertext Transfer Protocol -- HTTP/1.1

Edit: RFC2616 is well and truly obsolete, refer to RFC7230 for the latest specification.

EDIT: compiled list:

• an entity-body is only present when a message-body is present (section 7.2)
• the presence of a message-body is signaled by the inclusion of a Content-Length or Transfer-Encoding header (section 4.3)
• a message-body must not be included when the specification of the request method does not allow sending an entity-body (section 4.3)
• an entity-body is explicitly forbidden in TRACE requests only, all other request types are unrestricted (section 9, and 9.8 specifically)

For responses, this has been defined:

• whether a message-body is included depends on both request method and response status (section 4.3)
• a message-body is explicitly forbidden in responses to HEAD requests (section 9, and 9.4 specifically)
• a message-body is explicitly forbidden in 1xx (informational), 204 (no content), and 304 (not modified) responses (section 4.3)
• all other responses include a message-body, though it may be of zero length (section 4.3)

---

This (RFC 7231) Or This version (From IETF & More In-Depth) is what you want. According to the RFC:

For PUT:

The PUT method requests that the enclosed entity be stored under the supplied Request-URI. If the Request-URI refers to an already existing resource, the enclosed entity SHOULD be considered as a modified version of the one residing on the origin server. If the Request-URI does not point to an existing resource, and that URI is capable of being defined as a new resource by the requesting user agent, the origin server can create the resource with that URI. If a new resource is created, the origin server MUST inform the user agent via the 201 (Created) response. If an existing resource is modified, either the 200 (OK) or 204 (No Content) response codes SHOULD be sent to indicate successful completion of the request. If the resource could not be created or modified with the Request-URI, an appropriate error response SHOULD be given that reflects the nature of the problem. The recipient of the entity MUST NOT ignore any Content-* (e.g. Content-Range) headers that it does not understand or implement and MUST return a 501 (Not Implemented) response in such cases.

And for DELETE:

The DELETE method requests that the origin server delete the resource identified by the Request-URI. This method MAY be overridden by human intervention (or other means) on the origin server. The client cannot be guaranteed that the operation has been carried out, even if the status code returned from the origin server indicates that the action has been completed successfully. However, the server SHOULD NOT indicate success unless, at the time the response is given, it intends to delete the resource or move it to an inaccessible location.

A successful response SHOULD be 200 (OK) if the response includes an entity describing the status, 202 (Accepted) if the action has not yet been enacted, or 204 (No Content) if the action has been enacted but the response does not include an entity.

If the request passes through a cache and the Request-URI identifies one or more currently cached entities, those entries SHOULD be treated as stale. Responses to this method are not cacheable.