codeigniter4 · paulbalandan · Feb 23, 2026 · Feb 22, 2026
diff --git a/app/Config/Filters.php b/app/Config/Filters.php
@@ -93,7 +93,10 @@ class Filters extends BaseFilters
      * permits any HTTP method to access a controller. Accessing the controller
      * with a method you don't expect could bypass the filter.
      *
-     * @var array<string, list<string>>
+     * **IMPORTANT:** HTTP methods are checked case-sensitively, so you should always
+     * use the uppercase form to avoid issues.
+     *
+     * @var array<uppercase-string, list<string>>
      */
     public array $methods = [];
 

diff --git a/system/Config/Filters.php b/system/Config/Filters.php
@@ -106,7 +106,10 @@ class Filters extends BaseConfig
      * permits any HTTP method to access a controller. Accessing the controller
      * with a method you don't expect could bypass the filter.
      *
-     * @var array<string, list<string>>
+     * **IMPORTANT:** HTTP methods are checked case-sensitively, so you should always
+     * use the uppercase form to avoid issues.
+     *
+     * @var array<uppercase-string, list<string>>
      */
     public array $methods = [];
 

diff --git a/system/Filters/Filters.php b/system/Filters/Filters.php
@@ -22,8 +22,6 @@
 use Config\Modules;
 
 /**
- * Filters
- *
  * @see \CodeIgniter\Filters\FiltersTest
  */
 class Filters
@@ -125,26 +123,6 @@ class Filters
     protected array $filterClassInstances = [];
 
     /**
-     * Any arguments to be passed to filters.
-     *
-     * @var array<string, list<string>|null> [name => params]
-     *
-     * @deprecated 4.6.0 No longer used.
-     */
-    protected $arguments = [];
-
-    /**
-     * Any arguments to be passed to filtersClass.
-     *
-     * @var array<class-string, list<string>|null> [classname => arguments]
-     *
-     * @deprecated 4.6.0 No longer used.
-     */
-    protected $argumentsClass = [];
-
-    /**
-     * Constructor.
-     *
      * @param FiltersConfig $config
      */
     public function __construct($config, RequestInterface $request, ResponseInterface $response, ?Modules $modules = null)
@@ -501,8 +479,6 @@ public function reset(): self
     {
         $this->initialized = false;
 
-        $this->arguments = $this->argumentsClass = [];
-
         $this->filters = $this->filtersClass = [
             'before' => [],
             'after'  => [],
@@ -644,18 +620,6 @@ public function enableFilters(array $filters, string $when = 'before')
         return $this;
     }
 
-    /**
-     * Returns the arguments for a specified key, or all.
-     *
-     * @return array<string, string>|string
-     *
-     * @deprecated 4.6.0 Already does not work.
-     */
-    public function getArguments(?string $key = null)
-    {
-        return ((string) $key === '') ? $this->arguments : $this->arguments[$key];
-    }
-
     // --------------------------------------------------------------------
     // Processors
     // --------------------------------------------------------------------
@@ -732,27 +696,9 @@ protected function processMethods()
 
         $method = $this->request->getMethod();
 
-        $found = false;
-
         if (array_key_exists($method, $this->config->methods)) {
-            $found = true;
-        }
-        // Checks lowercase HTTP method for backward compatibility.
-        // @deprecated 4.5.0
-        // @TODO remove this in the future.
-        elseif (array_key_exists(strtolower($method), $this->config->methods)) {
-            @trigger_error(
-                'Setting lowercase HTTP method key "' . strtolower($method) . '" is deprecated.'
-                . ' Use uppercase HTTP method like "' . strtoupper($method) . '".',
-                E_USER_DEPRECATED,
-            );
-
-            $found  = true;
-            $method = strtolower($method);
-        }
-
-        if ($found) {
             $oldFilterOrder = config(Feature::class)->oldFilterOrder ?? false;
+
             if ($oldFilterOrder) {
                 $this->filters['before'] = array_merge($this->filters['before'], $this->config->methods[$method]);
             } else {

diff --git a/tests/system/Filters/CSRFTest.php b/tests/system/Filters/CSRFTest.php
@@ -13,7 +13,6 @@
 
 namespace CodeIgniter\Filters;
 
-use CodeIgniter\Config\Services;
 use CodeIgniter\HTTP\CLIRequest;
 use CodeIgniter\HTTP\IncomingRequest;
 use CodeIgniter\HTTP\Response;
@@ -29,12 +28,7 @@
 final class CSRFTest extends CIUnitTestCase
 {
     private \Config\Filters $config;
-
-    /**
-     * @var CLIRequest|IncomingRequest|null
-     */
-    private $request;
-
+    private CLIRequest|IncomingRequest $request;
     private ?Response $response = null;
 
     protected function setUp(): void
@@ -50,8 +44,8 @@ public function testDoNotCheckCliRequest(): void
             'after'  => [],
         ];
 
-        $this->request  = Services::clirequest(null, false);
-        $this->response = service('response');
+        $this->request  = single_service('clirequest', null);
+        $this->response = single_service('response');
 
         $filters = new Filters($this->config, $this->request, $this->response);
         $uri     = 'admin/foo/bar';
@@ -68,8 +62,8 @@ public function testPassGetRequest(): void
             'after'  => [],
         ];
 
-        $this->request  = service('incomingrequest', null, false);
-        $this->response = service('response');
+        $this->request  = single_service('incomingrequest', null);
+        $this->response = single_service('response');
 
         $filters = new Filters($this->config, $this->request, $this->response);
         $uri     = 'admin/foo/bar';

diff --git a/user_guide_src/source/changelogs/v4.8.0.rst b/user_guide_src/source/changelogs/v4.8.0.rst
@@ -24,6 +24,8 @@ Behavior Changes
 ================
 
 - **Commands:** The ``filter:check`` command now requires the HTTP method argument to be uppercase (e.g., ``spark filter:check GET /`` instead of ``spark filter:check get /``).
+- **Filters:** HTTP method matching for method-based filters is now case-sensitive. The keys in ``Config\Filters::$methods`` must exactly match the request method
+    (e.g., ``GET``, ``POST``). Lowercase method names (e.g., ``post``) will no longer match.
 
 Interface Changes
 =================
@@ -97,6 +99,10 @@ Removed Deprecated Items
     - ``CodeIgniter\HTTP\Exceptions\HTTPException::forInvalidSameSiteSetting()``
     - ``CodeIgniter\Security\Exceptions\SecurityException::forInvalidSameSite()``
     - ``CodeIgniter\Session\Exceptions\SessionException::forInvalidSameSiteSetting()``
+- **Filters:** Removed the following properties and methods deprecated:
+    - ``CodeIgniter\Filters\Filters::$arguments`` (deprecated since v4.6.0)
+    - ``CodeIgniter\Filters\Filters::$argumentsClass`` (deprecated since v4.6.0)
+    - ``CodeIgniter\Filters\Filters::getArguments()`` (deprecated since v4.6.0)
 - **Security:** Removed the following properties and methods deprecated:
     - ``CodeIgniter\Security\SecurityInterface::sanitizeFilename()`` (deprecated since v4.6.2)
     - ``CodeIgniter\Security\Security::sanitizeFilename()`` (deprecated since v4.6.2)