HTTP

405 - Method Not Allowed

Getting a 405 Method Not Allowed means you're using the wrong HTTP method—trying to DELETE on a GET-only endpoint, POST on a read-only route, or the server doesn't support that method for that path. This client-side error (4xx) happens when the route exists but the method is invalid. Most common when REST API conventions are violated (GET for updates), but also appears when CORS preflight OPTIONS requests aren't handled or methods are disabled by configuration.

#Common Causes

  • Frontend: Wrong HTTP method for endpoint (PUT instead of PATCH, DELETE instead of POST). CORS preflight OPTIONS request fails. Method not allowed in fetch/axios call. Browser form submission uses wrong method attribute.
  • Backend: Route handler only implements GET, not POST/PUT/DELETE. Missing OPTIONS handler for CORS preflight. Method explicitly disabled in route configuration. Route middleware rejects specific methods.
  • Infrastructure: Nginx/Apache blocks specific methods (deny DELETE). Load balancer method filtering. WAF blocks certain HTTP methods. API gateway method restrictions.

Solutions

  1. 1Step 1: Diagnose - Check DevTools Network tab—verify the HTTP method shown (GET, POST, PUT, DELETE). Check Response Headers for Allow header listing supported methods. Review API documentation for correct method.
  2. 2Step 2: Diagnose - Server logs show which method was attempted. Check route definitions—verify method is implemented. Review CORS configuration for OPTIONS handling. Check middleware that filters methods.
  3. 3Step 3: Fix - Client-side: Use correct HTTP method per API docs. Check Allow header from OPTIONS request to see supported methods. Ensure CORS preflight OPTIONS succeeds before main request.
  4. 4Step 4: Fix - Server-side: Implement route handlers for all required methods. Add OPTIONS handler for CORS preflight. Include Allow header in 405 responses. Review route method registrations.
  5. 5Step 5: Fix - Infrastructure: Check Nginx limit_except directives. Review WAF method filtering rules. Verify API gateway method mappings. Ensure load balancer passes all methods.

</>Code Examples

Fetch API: Check Allowed Methods
1// Client-side: Check allowed methods before request
2async function fetchWithMethodCheck(url, method) {
3  // Check allowed methods via OPTIONS
4  const optionsResponse = await fetch(url, { method: 'OPTIONS' });
5  const allowedMethods = optionsResponse.headers.get('Allow')?.split(', ') || [];
6  
7  if (!allowedMethods.includes(method)) {
8    console.error(`Method ${method} not allowed. Allowed: ${allowedMethods.join(', ')}`);
9    return null;
10  }
11  
12  // Make request with correct method
13  const response = await fetch(url, { method });
14  
15    if (response.status === 405) {
16      const allowed = response.headers.get('Allow');
17    throw new Error(`Method ${method} not allowed. Use: ${allowed}`);
18  }
19  
20  return response.json();
21}
Express.js: CORS and Method Handling
1// Server-side: Handle CORS preflight and method restrictions
2const express = require('express');
3const cors = require('cors');
4const app = express();
5
6// CORS configuration for preflight OPTIONS
7app.use(cors({
8  origin: 'https://example.com',
9  methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
10  allowedHeaders: ['Content-Type', 'Authorization'],
11}));
12
13// Handle OPTIONS preflight
14app.options('/api/users', (req, res) => {
15  res.header('Allow', 'GET, POST, OPTIONS');
16  res.sendStatus(200);
17});
18
19// Only allow GET and POST
20app.get('/api/users', (req, res) => {
21  res.json({ users: [] });
22});
23
24app.post('/api/users', (req, res) => {
25  res.json({ success: true });
26});
27
28// Handle unsupported methods
29app.use('/api/users', (req, res) => {
30  res.status(405)
31     .header('Allow', 'GET, POST, OPTIONS')
32     .json({ error: 'Method Not Allowed', allowed: ['GET', 'POST'] });
33  });
Nginx: Method Restrictions
1# Nginx: Allow only specific HTTP methods
2server {
3    listen 80;
4    server_name api.example.com;
5    
6    location /api/users {
7        # Only allow GET and POST
8        limit_except GET POST {
9            deny all;
10        }
11        
12        proxy_pass http://backend;
13        proxy_set_header Host $host;
14        proxy_set_header X-Real-IP $remote_addr;
15        
16        # Handle OPTIONS for CORS
17        if ($request_method = OPTIONS) {
18            add_header 'Allow' 'GET, POST, OPTIONS';
19            add_header 'Access-Control-Allow-Origin' '*';
20            add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
21            return 204;
22        }
23    }
24}

Related Errors

400501

Provider Information

This error code is specific to HTTP services. For more information, refer to the official HTTP documentation.

405 - Method Not Allowed | HTTP Error Reference | Error Code Reference