The HTTP 405 Method Not Allowed error occurs when a web server understands your request but refuses to allow that specific HTTP method for the resource you're trying to access. Unlike a 404 error where the server doesn't recognize the resource, a 405 error means the server knows what you want but won't let you use that particular method to access it.
This error is common when working with REST APIs, web applications, and server configurations. The server
typically includes an Allow header in the
response that lists which HTTP methods are actually permitted for that resource, helping you understand what went
wrong and how to fix it.
What is the 405 Method Not Allowed Error?
The 405 Method Not Allowed is an HTTP status code that indicates the server recognizes the HTTP method you're using, but the specific resource doesn't support it. HTTP methods define the action you want to perform: GET retrieves data, POST creates new resources, PUT updates existing resources, and DELETE removes resources.
When you send a request with a method that isn't allowed for that endpoint, the server responds with a 405 status code. For example, if you try to send a DELETE request to an endpoint that only accepts GET and POST, you'll receive a 405 error with an Allow header showing the permitted methods.
POST /api/data HTTP/1.1
Host: example.com
Content-Type: application/json
{"key": "value"}
// Server response:
HTTP/1.1 405 Method Not Allowed
Allow: GET, HEAD
Content-Type: text/htmlCommon Causes of 405 Errors
Wrong HTTP Method
The most common cause is using the wrong HTTP method for an endpoint. REST APIs are strict about which methods each endpoint accepts. For instance, a read-only endpoint might only accept GET requests, while a creation endpoint might only accept POST.
// Wrong: Trying to DELETE a read-only endpoint
fetch('/api/users', {
method: 'DELETE'
});
// Returns: 405 Method Not Allowed
// Allow: GET, POST
// Correct: Using the right method
fetch('/api/users', {
method: 'GET'
});Server Configuration Restrictions
Web servers like Apache and Nginx can be configured to restrict certain HTTP methods for security reasons. These restrictions might block methods like DELETE or PUT even if your application code supports them.
In Apache, you might see method restrictions in .htaccess or httpd.conf files. Nginx
uses limit_except
directives in its configuration files.
API Endpoint Rules
APIs enforce strict rules about which methods each endpoint accepts. If you're working with a third-party API or building your own, the endpoint might be designed to only accept specific methods. Sending a GET request to an endpoint that only accepts POST will result in a 405 error.
Framework Routing Issues
Web frameworks like Express.js, Flask, or Django require you to define routes for each HTTP method. If you only define a GET handler for a route but try to send a POST request, the framework will return a 405 error because no POST handler exists.
Security Filters and WAFs
Web Application Firewalls and security filters might block certain HTTP methods to prevent attacks. Methods like TRACE or OPTIONS are sometimes blocked by default, which can cause 405 errors even when your application would normally accept them.
How to Fix 405 Method Not Allowed Errors
Validate the HTTP Method
Start by checking if you're using the correct HTTP method for the endpoint. Review the API documentation or use an OPTIONS request to discover which methods are allowed.
# Check allowed methods with OPTIONS request
curl -X OPTIONS https://api.example.com/users -i
# Response will include Allow header:
# Allow: GET, POST, PUTIf you receive a 405 error with an Allow header, adjust your request to use one of the permitted methods listed in that header.
Check Server Configuration
For Apache servers, check your .htaccess or httpd.conf files for method
restrictions.
# Apache: Allow specific methods
Order Allow,Deny
Allow from all
# If you need DELETE, add it:
Order Allow,Deny
Allow from all
For Nginx, check your nginx.conf file for limit_except directives.
# Nginx: Allow specific methods
location /api {
limit_except GET POST {
deny all;
}
}
# To allow DELETE, update it:
location /api {
limit_except GET POST DELETE {
deny all;
}
}After making changes to server configuration files, restart your web server for the changes to take effect.
Fix Framework Routing
In web frameworks, ensure you've defined route handlers for all the HTTP methods you want to support. Here's an example for Express.js:
// Express.js: Define all needed methods
app.get('/posts', (req, res) => {
res.json(posts);
});
app.post('/posts', (req, res) => {
const newPost = createPost(req.body);
res.status(201).json(newPost);
});
// If you try DELETE without a handler, you'll get 405
app.delete('/posts/:id', (req, res) => {
deletePost(req.params.id);
res.status(204).send();
});Check API Endpoint Documentation
Review the API documentation to confirm which methods each endpoint accepts. Many APIs provide clear documentation about supported methods, or you can use OPTIONS requests to query the server directly.
// Use OPTIONS to discover allowed methods
fetch('/api/users', {
method: 'OPTIONS'
})
.then(response => {
const allowedMethods = response.headers.get('Allow');
console.log('Allowed methods:', allowedMethods);
});Review Security Filters
If you're using a Web Application Firewall or security filters, check their configuration to ensure they're not blocking legitimate HTTP methods. Some WAFs block methods like TRACE or OPTIONS by default, but you might need to allow DELETE or PUT for your application to work correctly.
Check Authentication and Permissions
Sometimes what appears to be a 405 error might actually be a permissions issue. Some APIs restrict certain methods to authenticated users or specific roles. Make sure you're including proper authentication headers in your requests.
// Include authentication headers
fetch('/api/posts/1', {
method: 'DELETE',
headers: {
'Authorization': 'Bearer ' + token,
'Content-Type': 'application/json'
}
});Examine Server Logs
Server logs can provide valuable information about why a 405 error is occurring. Check your web server's error logs for messages about method restrictions.
Apache logs typically show messages like "Method PUT not allowed for /api/data" in the error log. Nginx logs might show "method not allowed" errors. These logs help you identify whether the issue is with server configuration, application code, or API endpoint rules.
Real-World Examples
Example 1: REST API Endpoint
Imagine you have a REST API with a /posts endpoint that only
supports GET and POST methods. If you try to send a DELETE request to this endpoint, you'll receive a 405 error.
// This will return 405 Method Not Allowed
fetch('/posts', {
method: 'DELETE'
});
// Correct: Use GET to retrieve posts
fetch('/posts', {
method: 'GET'
});
// Or POST to create a new post
fetch('/posts', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ title: 'New Post', content: 'Post content' })
});Example 2: Express.js Route Handler
In Express.js, if you only define a GET handler for a route but try to send a POST request, you'll get a 405 error because no POST handler exists.
// Only GET is defined
app.get('/items', (req, res) => {
res.json(items);
});
// This POST request will return 405
// POST /items -> 405 Method Not Allowed
// Fix: Add a POST handler
app.post('/items', (req, res) => {
const newItem = createItem(req.body);
res.status(201).json(newItem);
});Example 3: Server Configuration Issue
If your Apache server is configured to only allow GET and POST methods, any PUT or DELETE requests will return 405 errors even if your application code supports them.
# Current configuration (restrictive)
Order Allow,Deny
Allow from all
# PUT and DELETE requests will return 405
# Updated configuration (allows PUT and DELETE)
Order Allow,Deny
Allow from all
Testing and Debugging
When debugging 405 errors, use tools like curl or Postman to test different HTTP methods and see which ones are actually allowed. The server's Allow header in the 405 response tells you exactly what methods you can use.
# Test different methods
curl -X GET https://api.example.com/data -i
curl -X POST https://api.example.com/data -i
curl -X PUT https://api.example.com/data -i
curl -X DELETE https://api.example.com/data -i
# Check allowed methods
curl -X OPTIONS https://api.example.com/data -iThe OPTIONS method is particularly useful because it returns the Allow header without actually performing the action, making it safe to use for discovery.
Prevention Best Practices
- Review API documentation: Always check which HTTP methods each endpoint supports before making requests
- Use OPTIONS requests: Query endpoints with OPTIONS to discover allowed methods programmatically
- Define all route handlers: In your framework, ensure you've created handlers for all methods you want to support
- Test server configuration: Verify that your web server configuration allows the methods your application needs
- Check security filters: Ensure WAFs and security filters aren't blocking legitimate methods
- Include proper headers: Some APIs require authentication or specific headers for certain methods
- Monitor server logs: Regularly check logs to catch method restriction issues early
Summary
The HTTP 405 Method Not Allowed error occurs when you use an HTTP method that the server recognizes but doesn't permit for the specific resource. Common causes include using the wrong method for an endpoint, server configuration restrictions, missing route handlers in frameworks, and security filters blocking methods.
To fix 405 errors, validate that you're using the correct HTTP method, check server configurations for method restrictions, ensure your framework routes support the methods you need, review API documentation, and examine server logs for detailed error information. The Allow header in the 405 response provides valuable clues about which methods are actually permitted.
By understanding how HTTP methods work and following best practices for API design and server configuration, you can prevent most 405 errors and resolve them quickly when they occur. Always test your endpoints with different methods and use OPTIONS requests to discover what's actually allowed before implementing your application logic.
