HTTP 405 -- web server compliance

Corey Richardson picture Corey Richardson · Mar 28, 2013 · Viewed 7.7k times · Source

The RFC states:

10.4.6 405 Method Not Allowed

The method specified in the Request-Line is not allowed for the resource identified by the Request-URI. The response MUST include an Allow header containing a list of valid methods for the requested resource.

However, I've been unable to identify a single server which complies with that MUST.

I can see that that requirement would be very hard to fulfill with modern web servers, given the variety of proxying, dynamic applications, etc that exist.

  1. Why, historically, did that requirement make sense?
  2. Does anything depend on that behavior, or did it ever? What would a use case for it be?
  3. Do any web servers "properly" implement this aspect of http? IIS (at least when using ASP.NET) and even some "RESTful" APIs return 404 rather than 405 when giving a bogus method, as far as I've been able to tell.

Additionally, why do servers return 405 for methods such as BOGUS that clearly are not implemented by the server, even when serving documents and not proxying out or calling some code (cgi/etc), when they should return 501?

Should these parts of HTTP be considered "vestigial", seeing as few if any servers conform to the spec?


Actually, it isn't that hard for most frameworks to properly return 'Allow'. All of the frameworks I know of require specification of which methods a specific controller is going to be called for (usually defaulting to GET), and code could easily register extension methods with the framework for it to return.

So far the evidence seems to point to either a) nobody reads the spec and nobody knows about this requirement, b) nobody cares about this feature.

Answer

groovecoder picture groovecoder · Nov 9, 2014

Trying to directly answer the questions:

  1. The requirement still makes sense, especially - as Meryn's comment says for HATEOAS API's.

  2. Since a server is "An application program that accepts connections in order to service requests by sending back responses" it's easy to say yes - there are applications on the net that depend on it. ;) One such use case is to respond 405 to a POST /resource/1/ with Allow: GET, HEAD, PUT, DELETE to indicate the resource is not a "factory resource".

  3. Since the methods allowed on a resource could vary by application logic, we should also consider application servers - as you point out in your question. In which case, yes - e.g., django returns a proper Allow header with 405 responses.