Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

HTTP 405 -- web server compliance

Tags:

rest

http

web

web-frameworks

The RFC states:

10.4.6 405 Method Not Allowed

The method specified in the Request-Line is not allowed for the resource identified by the Request-URI. The response MUST include an Allow header containing a list of valid methods for the requested resource.

However, I've been unable to identify a single server which complies with that MUST.

I can see that that requirement would be very hard to fulfill with modern web servers, given the variety of proxying, dynamic applications, etc that exist.

  1. Why, historically, did that requirement make sense?
  2. Does anything depend on that behavior, or did it ever? What would a use case for it be?
  3. Do any web servers "properly" implement this aspect of http? IIS (at least when using ASP.NET) and even some "RESTful" APIs return 404 rather than 405 when giving a bogus method, as far as I've been able to tell.

Additionally, why do servers return 405 for methods such as BOGUS that clearly are not implemented by the server, even when serving documents and not proxying out or calling some code (cgi/etc), when they should return 501?

Should these parts of HTTP be considered "vestigial", seeing as few if any servers conform to the spec?

Actually, it isn't that hard for most frameworks to properly return 'Allow'. All of the frameworks I know of require specification of which methods a specific controller is going to be called for (usually defaulting to GET), and code could easily register extension methods with the framework for it to return.

So far the evidence seems to point to either a) nobody reads the spec and nobody knows about this requirement, b) nobody cares about this feature.

like image 352
Corey Richardson Avatar asked Mar 28 '13 14:03

Corey Richardson

1 Answers

Trying to directly answer the questions:

  1. The requirement still makes sense, especially - as Meryn's comment says for HATEOAS API's.

  2. Since a server is "An application program that accepts connections in order to service requests by sending back responses" it's easy to say yes - there are applications on the net that depend on it. ;) One such use case is to respond 405 to a POST /resource/1/ with Allow: GET, HEAD, PUT, DELETE to indicate the resource is not a "factory resource".

  3. Since the methods allowed on a resource could vary by application logic, we should also consider application servers - as you point out in your question. In which case, yes - e.g., django returns a proper Allow header with 405 responses.

like image 92
groovecoder Avatar answered Oct 24 '22 11:10

groovecoder
Sign in to Comment

Related questions

Add multiple values to array in single JSON Patch operation?
How do I configure a C# web service client to send HTTP request header and body in parallel?
Get HTTP headers in asynchronous WebClient request
HTTP protocol not supported in WebRequest under mono
How to transparently stream a file to the browser?
What is the "system default" http timeout?
How to remove WebDav in Startup.cs ASP.NET Core
Someone made some wp wlwmanifest.xml http requests, but why?
HTTP DELETE request
How does HTTP download work?
Set http headers to requests generated by browser?
HTTP: Is it acceptable to use the COPY method where the Destination header is not a URI?
c# .NET multipart/form-data Upload A File
Scrapy Crawling Speed is Slow (60 pages / min)

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!