405 Method Not Allowed

The HTTP 405 Method Not Allowed status code is a client error returned by the server to indicate the resource exists but the requested HTTP method is not allowed. For example, a DELETE request against a read-only resource triggers this status.

The response is cacheable by default. To override this behavior, the response must include appropriate HTTP caching headers.

Table of Contents

Usage

When a 405 Method Not Allowed error arrives, the client understands the resource exists but the specified method is not permitted. As part of the response, the server sends an Allow header listing the methods currently supported for the resource.

SEO impact

Search engines like Google do not index a URL returning a 405 status. Previously indexed URLs returning this status code are removed from search results.

Example

The client attempts to DELETE a read-only resource. The server responds with 405 Method Not Allowed and includes the Allow header showing only GET, HEAD, and OPTIONS are permitted.

Request

DELETE /policies.pdf HTTP/1.1
Host: www.example.re

Response

HTTP/1.1 405 Method Not Allowed
Allow: GET, HEAD, OPTIONS
Content-Type: text/html
Content-Length: 157

<html>
  <head>
    <title>Operation Not Permitted</title>
  </head>
  <body>
    <p>This resource is read-only and cannot be
    deleted.</p>
  </body>
</html>

How to fix

A 405 Method Not Allowed means the resource exists but does not support the HTTP method in the request.

  1. Check the Allow header in the response. The server includes this header listing every permitted method for the resource. Switch to one of the listed methods. Inspect the header with curl -I <url> or in browser DevTools under the Response Headers section.

  2. Switch to the correct method. A common mistake is sending POST to a read-only endpoint or GET to a submission endpoint. Match the method to the operation described in the API documentation. Form submissions default to GET unless the method attribute is set to post.

  3. Verify the API endpoint documentation. REST APIs define specific methods per resource path. Confirm the path and method combination is valid. A trailing slash mismatch between /api/users and /api/users/ routes to different handlers in many frameworks, and one path accepts the method while the other does not.

  4. Check server configuration for method restrictions. Web server directives restrict allowed methods per location. In Apache, the <Limit> and <LimitExcept> blocks control access by method:

    <LimitExcept GET HEAD OPTIONS>
    Require all denied
</LimitExcept>

    In nginx, the limit_except directive achieves the same:

    location /api {
    limit_except GET POST {
        deny all;
    }
}

    Adjust these directives to permit the intended method.

  5. Handle CORS preflight requests. Cross-origin requests trigger an OPTIONS preflight before the actual method. The server must respond to OPTIONS with the correct Access-Control-Allow-Methods header listing the permitted methods. A missing or incomplete CORS configuration returns 405 for the preflight. In nginx:

    add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";

  6. Review application framework routing. Web frameworks (Django, Rails, Express, Spring) only register routes for explicitly declared methods. A missing route decorator or controller action for the requested method produces 405. Confirm the route definition matches the intended HTTP method.

  7. Check for static file server interference. nginx serves static files by default and rejects POST requests to static resources. When POST is intended for an application backend, verify the location block routes the request to the upstream application instead of the static file handler.

Code references

.NET

HttpStatusCode.MethodNotAllowed

Rust

http::StatusCode::METHOD_NOT_ALLOWED

Rails

:method_not_allowed

Go

http.StatusMethodNotAllowed

Symfony

Response::HTTP_METHOD_NOT_ALLOWED

Python3.5+

http.HTTPStatus.METHOD_NOT_ALLOWED

Java

java.net.HttpURLConnection.HTTP_BAD_METHOD

Apache HttpComponents Core

org.apache.hc.core5.http.HttpStatus.SC_METHOD_NOT_ALLOWED

Angular

@angular/common/http/HttpStatusCode.MethodNotAllowed

Takeaway

The 405 Method Not Allowed status code indicates the resource exists but the specified HTTP method is not permitted. The server returns the list of acceptable methods in the Allow header.

See also

Last updated: March 6, 2026