HTTP verb used is not allowed

When writing RESTful APIs, we often used the HTTP verbs to control our operations.

Http Verb
Reads information
Create a record
Update a record
Delete a record

Our MVC APIs usually are set with attributes to indicate the verb as well.

During the development process, we test our APIs with IIS Express, so there is no unexpected behavior. When deploying to our test and production environments, the web server settings may be set to only allow the most common verbs like GET, POST and OPTIONS.  If this is the case when we deploy our API, we may come across this error when testing out the PUT or DELETE operations:

405 - HTTP verb used to access this page is not allowed

A quick way to control that from our applications is to set the allow verb configuration in our web.config file. This overrides the IIS settings for our application.  We can do this by setting the following web server configuration.


          <verbs allowUnlisted="false">
            <add verb="GET" allowed="true" />
            <add verb="OPTION" allowed="true" />
            <add verb="POST" allowed="true" />
            <add verb="DELETE" allowed="false" />
            <add verb="PUT" allowed="true" />          </verbs>              

      <remove name="WebDAVModule" />

      <remove name="WebDAV" />


The settings above indicate that we want to allow GET,POST, OPTION and PUT, and DELETE should not be allowed.  We also need to remove a WebDAV module and handler that can raise this error as they intercept some of the less common verb like PUT and DELETE.

The advantage of doing the changes on the web.config over configuring IIS is that as the application is deployed on any other server/environment; no one has to remember to update that setting on IIS.

Hope that helps.

Originally published by ozkary.com


Post a Comment

What do you think?