The RFC says:
10.4.6 405 Method not allowed
The method specified in the query string is not allowed for the resource identified by the Request-URI. The response MUST include the Allow header containing a list of valid methods for the requested resource.
However, I was not able to identify a single server that matches this MUST.
I see that this requirement will be very difficult to fulfill with the help of modern web servers, given the existence of various proxied, dynamic applications, etc.
- Why, historically, does this requirement make sense?
- Does anything depend on this behavior? What will be the precedent for this?
- Do any web servers get this aspect of http right? IIS (at least when using ASP.NET), and even some RESTful APIs return 404, not 405 when they give a dummy method, as far as I could tell.
In addition, why do servers return 405 for methods such as BOGUS that are not explicitly implemented by the server, even when serving documents, and not for proxying or invoking any code (cgi / etc) when they should return 501?
Should these parts of HTTP be considered "rudimentary," seeing how little if any servers meet the specification?
In fact, for most frameworks it’s not so difficult to return “Allow”. All the frameworks that I know about require clarification of the methods to which a particular controller will be called (usually the default is GET), and the code can easily register extension methods using the framework to return it.
So far, the evidence seems to indicate that: a) no one reads the specification, and no one knows about this requirement, b) no one cares about this function.
Corey richardson
source share