TL;DR. HTTP got a new method in June: QUERY (RFC 10008), a GET that carries a body. Everyone wrote explainers and threat models. Nobody actually fired it at real infrastructure. So I did, for a few nights: ten production edges from CloudFront to raw nginx, three browser engines, real client libraries. One law fell out of all of it. The more a layer "understands" HTTP methods, the more likely it is to break the newest one. And when I forced a real cache to store a QUERY, it served one query's answer to a different query.

RFC 10008 shipped in June. If you missed it: QUERY is a request method with GET's semantics (safe, idempotent, cacheable) that carries its query in the body like POST. It's the thing we've faked with POST /search for twenty years, finally given a name.

Twenty years of POST /search was a small lie we told every cache and WAF. QUERY is the honest version.

Within days of the RFC there was already a wave of posts. Explainers mostly, plus a couple of good security write-ups mapping the "attack surface." Every one of them was theory. Not one ran a request. The Hive Security piece even calls its own smuggling section "the most speculative entry on this list, there's no confirmed public case yet." So the interesting question was wide open: what does QUERY actually DO when it hits the real internet?