Back to HTTP Methods

LOCK

Takes out a shared or exclusive lock on a resource to prevent concurrent modification, defined by WebDAV.

Safe Idempotent Cacheable Has Request Body

What it does

LOCK reserves a resource for exclusive or shared editing, preventing (or coordinating) concurrent modification by other clients — WebDAV's answer to "two people editing the same document at once." A successful LOCK returns a lock token, which the client must present on subsequent write requests (PUT, PROPPATCH, DELETE, MOVE) to prove it holds the lock.

This is a genuinely different concurrency-control mechanism from HTTP's ETag/If-Match approach used elsewhere — instead of optimistic concurrency (try the write, fail if something changed), LOCK is pessimistic: reserve the resource first, then write with confidence nobody else can.

Semantics

Property Value Why it matters
Safe No Changes the resource's lock state
Idempotent No Calling LOCK again (a "refresh") extends the timeout rather than being a no-op — repeated calls have a cumulative effect on lock duration
Cacheable No Not a read
Request body Yes XML specifying lock type (exclusive/shared), scope, and owner info
Response body Yes XML containing the lock token and details

Syntax & example request

LOCK /files/report.pdf HTTP/1.1
Host: dav.example.com
Timeout: Second-3600
Content-Type: application/xml

<?xml version="1.0"?>
<D:lockinfo xmlns:D="DAV:">
  <D:lockscope><D:exclusive/></D:lockscope>
  <D:locktype><D:write/></D:locktype>
  <D:owner>[email protected]</D:owner>
</D:lockinfo>
HTTP/1.1 200 OK
Content-Type: application/xml
Lock-Token: <urn:uuid:e71d4fae-5dec-22d6-fea5-00a0c91e6be4>

<D:prop xmlns:D="DAV:">
  <D:lockdiscovery>
    <D:activelock>
      <D:locktype><D:write/></D:locktype>
      <D:lockscope><D:exclusive/></D:lockscope>
      <D:depth>0</D:depth>
      <D:timeout>Second-3600</D:timeout>
      <D:locktoken><D:href>urn:uuid:e71d4fae-5dec-22d6-fea5-00a0c91e6be4</D:href></D:locktoken>
    </D:activelock>
  </D:lockdiscovery>
</D:prop>

curl example

curl -X LOCK https://dav.example.com/files/report.pdf \
  -H "Content-Type: application/xml" \
  -H "Timeout: Second-3600" \
  --data '<?xml version="1.0"?><D:lockinfo xmlns:D="DAV:"><D:lockscope><D:exclusive/></D:lockscope><D:locktype><D:write/></D:locktype></D:lockinfo>'

Common status codes returned

  • 200 OK — lock refreshed on an already-locked resource → see 200
  • 201 Created — lock created on a resource that didn't exist before (LOCK can create an empty locked resource) → see 201
  • 423 Locked — resource is already locked by someone else → see 423

Shared vs exclusive locks

Lock type Meaning
Exclusive Only the lock holder can write; everyone else is blocked
Shared Multiple clients can hold the same shared lock simultaneously — useful for "several people editing collaboratively, but exclude outsiders" scenarios

Real-world usage

  • Document management systems (older CMS platforms, some file-sync tools) preventing two users from overwriting each other's edits to the same file
  • WebDAV clients showing a "locked by another user" indicator when a document is checked out elsewhere

Security considerations

Lock tokens function like bearer credentials for a specific resource — anyone who obtains the token can perform locked-write operations as if they were the original lock holder, so tokens need to be treated with the same care as session tokens (transmitted only over TLS, not logged, not leaked in URLs). Servers should also enforce reasonable lock timeouts — an indefinitely-held lock that the original client abandoned (crashed, lost connectivity) without releasing effectively becomes a permanent denial-of-service against that resource unless timeouts force expiration.

FAQ

Why is LOCK not idempotent?

Calling LOCK again on an already-locked resource (by the same owner, presenting the right token) typically refreshes the lock's timeout rather than being a no-op — so the effect of calling it twice (extended duration) differs from calling it once, which is what disqualifies it from being idempotent by the strict definition.

What happens if a client holding a lock disconnects without releasing it?

The lock persists until its Timeout expires — this is why LOCK requests specify a timeout up front, so abandoned locks eventually release themselves rather than blocking a resource indefinitely.

How does a client prove it holds a lock on a later request?

By including the lock token (returned in the LOCK response's Lock-Token header) in an If header on subsequent write requests to that resource — the server checks the token matches an active lock before allowing the write.

Fun fact

WebDAV's LOCK/UNLOCK pair is one of the few places in core HTTP-adjacent specs where pessimistic concurrency control (reserve first, then write) is standardized — nearly everywhere else in HTTP (ETags, If-Match), the pattern is optimistic (attempt the write, fail cleanly if something changed underneath you).

Related Methods