How a user-agent can discover the allowable methods
This note describes how a user-agent can discover the allowable methods, and how the server responds to methods it can not handle.
Each server resource can be accessed with one or more of the following methods:
The HTTP specification provides a mechanism for a user agent to discover which of these methods are allowed on a particular resource through the
As an example, if the user agent wants to discover which methods are available for the resource at
OPTIONS request can be sent to that URL, and the response will contain an
allow header listing the available methods, which may look like:
Normally, the list of allowable methods returned in the
allow header is the list of methods configured by the webmaster in the
methods entry. But not always. When the RBAC Module is enabled, access to resources is restricted on a path-pattern basis. Each path-pattern specifies a list of allowable methods and the roles that are permitted to use those methods. An
OPTIONS request in this circumstance may return a smaller set of allowable methods.
If a user agent wants to query the server for the list of allowable methods, without limiting it to a resource path, a bare
'*' may be issued to the server like this
https://example.com/*. The server will respond with an
allow header equivalent to the values configured by the webmaster in the
Response code 405
Whenever any request method — other than
OPTIONS — cannot be fulfilled, the server returns status code
405 with an
allow header listing the methods that are allowed. When the
OPTIONS methods itself is not enabled by the webmaster, the response will have status code
405 and no
allow response header will be present.
There are no special configuration settings for the
allow header. Its behavior is defined by IETF RFC 7231 HTTP/1.1 Semantics and Content Section 7.4.1.
Key points to remember:
OPTIONSmethod should be included in the
methodsentry of every production server.
allowresponse header lists the methods allowed on a particular resource.
- The RBAC module may limit the methods allowed on a resource.