Implement nonce in REST app DELETE method

Question

With methods POST GET and PUT I can send the nonce value to the server along with the rest of the client request data, but DELETE method it's not supposed to carry any parameters, just the name of the resource.

I'm thinking of using If-Match header.

Would that be right?

(I know the nonce is supposed to be part of some auth scheme, like OAuth or HTTP Digest access authentication, but right now I'm not going full REST and prefer to use session authentication. Maybe I'm doing it completely wrong and should reconsider this?)

Answer 1

The correct (and only) place for authentication data, such as a custom nonce value, is in the request headers.

1. You can't send it as part of the URL (including query param) because that would alter the resource you were trying to delete. Query parameters are part of the resource identifier, and anyone who tells you otherwise is lying.
2. You can't send it in the body because the delete method has no request body.