Declaring which HTTP methods are acceptable and applicable
Methods
Preliminaries
This note describes the different configuration options that govern which HTTP methods are acceptable and applicable at the host level, and how to limit methods on resources that match a path-pattern.
The standard HTTP methods are HEAD
, GET
, PUT
, DELETE
, POST
, PATCH
, OPTIONS
and TRACE
.
Not every website needs all of these.
Websites that are designed to serve static files, only need HEAD
, GET
and OPTIONS
. Websites that process form data need those three and POST
as well. Websites that allow basic authoring capabilities using WebDAV further need PUT
and DELETE
. And websites that provide interactive capabilities using AJAX may want to implement PATCH
as well. Finally, for debugging purposes, a webmaster may want to temporarily enable the TRACE
method.
Each host configuration should declare which methods it is prepared to handle. If no such declaration is made in the host
section, the methods declared in the server
section will be used as a fallback.
Over and above this basic declaration, there are several configuration sections that further restrict which methods are allowed or applicable.
The RBAC module defines role based access to resource patterns. Those definitions include a parameter that lists the methods that are applicable to the given RBAC resource/role pair. In this way it is possible to allow for example, HEAD
and GET
access to all resources by users with low privileges; but to allow PUT
and DELETE
access only to users with elevated privileges.
The Router module defines supplementary processing modules to be called when resource requests match a given resource pattern. Those definitions include a parameter that lists the methods that are applicable to the router definition. In this way it is possible to allow for example, a POST
request to a URL to be sent to an API module for updating data, while a GET
request to the same URL might be sent to a different API module for retrieving the data.
The Cross Origin module defines CORS rules. In some preflight requests the requestor may ask for permission to use a method other than GET
. Unless the configuration explicitly allows those other methods, the CORS response will be 403
.
Configuration
Every configuration must include a methods
entry — in either the server
or host
section — to declare which methods it supports. The methods should be spelled with all capital letters, and concatenated using commas, without intervening whitespace.
When methods are further refined in module configurations, they use a *methods
attribute to list which methods are applicable. This applies to the RBAC, Router, and Cross Origin modules. The syntax for these attributes is the same as for the main methods declaration: capitalized words and comma-separated values.
Placement
The main methods
declaration section is typically placed in the host
section, but when not present, the declaration in the server
section will be used. Values appearing in both are never merged; the host
section's takes precedence.
Information Headers
When a request is received for a resource that is not configured to allow the given method, the response fails with status code 405
and information header rw-method-not-allowed
.
When a CORS preflight request is made for a method that is not configured, the response fails with status code 403
.
EBNF
SP | ::= | U+20 |
CR | ::= | U+0D |
COMMA | ::= | U+2C |
method-name | ::= | 'HEAD' | 'GET' | 'PUT' | 'DELETE' | 'POST' | 'PATCH' | 'OPTIONS' | 'TRACE' |
methods-entry | ::= | 'methods' SP (method-name COMMA)* CR |
For the EBNF specifications of the RBAC, Router, and Cross Origin modules, refer to those documentation pages.
Cookbook
Example 1: Typical methods declaration
host {
methods HEAD,GET,OPTIONS
}
Example 2: Distinct methods based on RBAC roles
host {
methods HEAD,GET,POST,PUT,PATCH,DELETE,OPTIONS
rbac {
resources {
`/rbac/credentials` *methods=POST *roles=anonymous
`/rbac/free-pages` *methods=GET,HEAD *roles=anonymous
`/rbac/free-pages` *methods=PUT,DELETE *roles=editor,devops
}
}
}
Example 3: Selected methods for routed modules
host {
methods HEAD,GET,POST,PUT,PATCH,DELETE,OPTIONS
router {
`*.blue` *methods=GET,HEAD *module=/rwserve/dist/handlers/route/blue-handler.class.js
}
}
Example 4: CORS methods
host {
methods HEAD,GET,POST,PUT,PATCH,DELETE,OPTIONS
request {
cross-origin {
`/cors/trusted-host-A` *methods=OPTIONS,GET,PUT *origin="trusted-host-a.com"
`/cors/trusted-host-B` *methods=OPTIONS,GET,PUT *origin="trusted-host-b.com"
}
}
}
Review
Key points to remember:
- Always include a declaration of the methods allowed.
- Refine the list of applicable methods for path-patterns using a
*methods
attribute. - Configure the server to use the smallest set of HTTP methods possible, to block illegitimate requests.