405 Method Not Allowed

HTTP 405 status code means a server doesn’t support the requested HTTP method.

For example, sending a POST request to the endpoint that only supports GET requests will trigger the HTTP 405 error.

When responding with this status code, the server might include the Allow header indicating supported HTTP methods.

Note that some firewalls and network ACLs might disable particular HTTP methods for increased security. OWASP recommends disabling the HTTP TRACE method because it can be used for the “Cross-Site Tracing (XST)” attack.

As of today, there are 9 available HTTP methods:

Trivia

HTTP/1.0 and HTTP/1.1 defined LINK and UNLINK HTTP methods, but they never gained a wide adoption.

Example

Let’s send the PATCH request to Google’s homepage using curl:

curl -X PATCH -o /dev/null -vL --compressed https://www.google.com

Their servers respond with a 405 Method Not Allowed status code, including allowed HTTP methods:

HTTP/2 405
allow: GET, HEAD