When issuing a perfectly cromulent verb to a local IIS Express web-site under Visual Studio 2013:
CROMULENT http://localhost:7579/Handler.ashx HTTP/1.1
Host: localhost:7579
the server responds with the error:
HTTP/1.1 405 Method Not Allowed
Allow: GET, HEAD, OPTIONS, TRACE
That is a request to a «generic handler» (i.e. .ashx). If if i try again to a static resource:
SCHWIFTY http://localhost:7579/Default.htm HTTP/1.1
Host: localhost:7579
the server responds with the error:
HTTP/1.1 405 Method Not Allowed
Allow: GET, HEAD, OPTIONS, TRACE
This is all by way to trying to use HTTP verbs:
DELETE http://localhost:7579/Handler.ashx HTTP/1.1
Host: localhost:7579
HTTP/1.1 405 Method Not Allowed
Allow: GET, HEAD, OPTIONS, TRACE
PUThttp://localhost:7579/Handler.ashx HTTP/1.1
Host: localhost:7579
HTTP/1.1 405 Method Not Allowed
Allow: GET, HEAD, OPTIONS, TRACE
This question has been asked to death, sometimes by me. But nobody has ever come up with a solution.
</Question>
Microsoft’s Bug
The problem, fundamentally, is that Microsoft ships IIS and IISExpress broken by default. Rather than handling HTTP verbs, as a web-server is required to do, they don’t handle verbs.
This can most easily be seen when managing full IIS running on Windows Server. Pick any of the built-in handlers (e.g. the cshtml handler), and you can see that someone thought it would be hilarious if it only worked with GET, HEAD, POST, and DEBUG verbs:
rather than correctly implementing support for HTTP in an HTTP server.
The question becomes:
- why exactly doesn’t it work
- how exactly to fix it
- how to fix it in IIS Express (without any management tools)
- why it continues to be shipped, year after year, broken
Question 1. Why doesn’t it work?
The first question is why doesn’t it work. Let’s look at an IIS server where we’ve removed every handler except the basic Static file handler:
The handler is configured to all all verbs:
The only handler left is set to allow any verb. Yet if we issue a request to the web server we get the error:
DELETE http://scratch.avatopia.com/ HTTP/1.1
Host: scratch.avatopia.com
HTTP/1.1 405 Method Not Allowed
Allow: GET, HEAD, OPTIONS, TRACE
Server: Microsoft-IIS/7.5
Why is this happening?
Why didn’t it work? Where is the configuration option that says:
GETHEADOPTIONSTRACE
because the server itself is saying those are the only supported verbs.
Yet if we change it to a GET it works fine:
GET http://scratch.avatopia.com/ HTTP/1.1
User-Agent: Fiddler
Host: scratch.avatopia.com
HTTP/1.1 200 OK
Content-Type: text/html
Question 2. How to fix it?
The common wisdom is to remove WebDAV. Nobody knows what WebDAV is, how it could be a problem, why it is a problem, or why it exists if it only causes problems. WebDAV can be removed as a handler from the IIS administration user interface:
which is identical to adding a remove entry from the handlers section in web.config (the UI itself adds the entry to web.config for you):
<system.webServer>
<handlers>
<remove name="WebDAV" />
</handlers>
</system.webServer>
Except this doesn’t work. So how do we fix it?
Starting with IIS it seems that WebDAV has become even more of a virus. Rather than simply disabling it as a handler, you have to completely install or remove it as a module:
<system.webServer>
<modules>
<remove name="WebDAVModule" />
</modules>
<handlers>
<remove name="WebDAV" />
</handlers>
</system.webServer>
That sounds like a reason idea, except in my test case, on IIS 7.5, WebDAV is both not installed, and removed as a module:
HTTP/1.1 405 Method Not Allowed
Allow: GET, HEAD, OPTIONS, TRACE
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Tue, 10 May 2016 19:19:42 GMT
Content-Length: 0
So, if we can figure out how to solve the problem, we can answer question number two.
Question 3. How to fix it in IIS Express
Starting with Visual Studio 20131, Visual Studio no longer uses a mini web-server called Cassini. It uses a portable install of IIS Express itself (i.e. IIS Express Windows feature doesn’t need to be installed).
Most of the above fix (attempts) (fail) in IIS. But nobody has dealt with them in IIS Express of Visual Studio 2013 (which is how this question is different from any others).
Question 4. Why does this keep happening?
It’s been over 15 years, and this still keeps happening. There must be a good reason why IIS does not function as a web-server. But what is it? I’ve not been able to find any knowledge base article, or blog post, explaining why the IIS team refuses to function correctly.
Bonus Reading
- The most popular Stackoverflow question for this problem: ASP.NET Web API — PUT & DELETE Verbs Not Allowed — IIS 8
Research Effort
- HTTP Error 405.0 — Method Not Allowed, with POST (no answer, php)
- HTTP Error 405.0 — Method Not Allowed (no answer)
- POST verb not allowed (php)
- HTTP Error 405.0 — Method Not Allowed in ASP.net MVC5 (no answer, mvc)
- JQuery File Uploader = error 405 IIS8.5 (jquery no answer)
- IIS 7.5 405 Method Not Allowed for PUT from StaticFileModule (no answer, static module, iis)
- The HTTP verb POST used to access path is not allowed («don’t use verbs»)
- http error 405 method not allowed error with web.API (uninstall WebDAV; already isn’t)
- Handling Perl IIS 7.5 (perl)
- HTTP Error 405.0 — Method Not Allowed using Jquery ajax get (ajax)
- What causes an HTTP 405 «invalid method (HTTP verb)» error when POSTing a form to PHP on IIS? (iis6, ftp, php)
- http://forums.asp.net/t/1648594.aspx («have you tried pinging your computer»)
- Angular $resource POST/PUT to WebAPI 405 Method Not Allowed (try removing WebDAV handlder and WebDAV module)
- Http Error 405.0 — method not allowed iis 7.5 module staticfilemodule (no solution)
- Unable to set up WebDAV with IIS 7 *(trying to setup webdav)*
- Android SOAP request is returning HTTP Response 405 (no solution)
- wcf service doesn’t allow POST (wcf)
- WebAPI Delete not working — 405 Method Not Allowed (WebAPI; remove WebDAV)
- Remove From My Forums
-
Question
-
User1840894103 posted
I am creating a website that runs on Angular 10 as frontend and enitity web API as backend. Many of my Angular pages push information to the next page via «POST». When submitting information from a Angular form using «POST» I receive the following
error:HTTP Error 405.0 — Method Not Allowed
The page you are looking for cannot be displayed because an invalid method (HTTP verb) is being used.
<fieldset>
Most likely causes:
- The request sent to the Web server used an HTTP verb that is not allowed by the module configured to handle the request.
- A request was sent to the server that contained an invalid HTTP verb.
- The request is for static content and contains an HTTP verb other than GET or HEAD.
- A request was sent to a virtual directory using the HTTP verb POST and the default document is a static file that does not support HTTP verbs other than GET or HEAD.
</fieldset>
<fieldset>
Things you can try:
- Verify the list of verbs enabled for the module handler this request was sent to, and ensure that this verb should be allowed for the Web site.
- Check the IIS log file to see which verb is not allowed for the request.
- Check the failed request tracing logs for additional information about this error. For more information, click here.
</fieldset>
<fieldset>
Detailed Error Information:
Module StaticFileModule Notification ExecuteRequestHandler Handler StaticFile Error Code 0x80070001 Requested URL http://localhost:62510/Register.html Physical Path C:Users********DocumentsVisual Studio 2015WebSitesPrismlibRegister.html Logon Method Anonymous Logon User Anonymous Request Tracing Directory C:Users********DocumentsIISExpressTraceLogFilesPRISMLIB </fieldset>
<fieldset>
More Information:
This error means that the request sent to the Web server contained an HTTP verb that is not allowed by the configured module handler for the request.
</fieldset>
I have tried changing the web.config file and adding/removing various handlers and modules , but it did not fix the issue.
What do I need to do to resolve this error?
| uid | title | author | description | ms.author | ms.date | ms.assetid | msc.legacyurl | msc.type |
|---|---|---|---|---|---|---|---|---|
|
web-api/overview/testing-and-debugging/troubleshooting-http-405-errors-after-publishing-web-api-applications |
Troubleshoot Web API2 apps that work in Visual Studio and fail on a production IIS server |
rmcmurray |
Troubleshoot Web API2 apps that work in Visual Studio and fail on a production IIS server |
riande |
01/23/2019 |
07ec7d37-023f-43ea-b471-60b08ce338f7 |
/web-api/overview/testing-and-debugging/troubleshooting-http-405-errors-after-publishing-web-api-applications |
authoredcontent |
Troubleshoot Web API2 apps that work in Visual Studio and fail on a production IIS server
This doc explains how to troubleshoot Web API2 apps that are deployed to a production IIS server. It addresses common HTTP 405 and 501 errors.
Software used in this tutorial
- Internet Information Services (IIS) (version 7 or later)
- Web API
Web API apps typically use several HTTP verbs: GET, POST, PUT, DELETE, and sometimes PATCH. That being said, developers may run into situations where those verbs are implemented by another IIS module on their production IIS server, which leads to a situation where a Web API controller that works correctly in Visual Studio or on a development server will return an HTTP 405 error when it is deployed to a production IIS server.
What causes HTTP 405 errors
The first step toward learning how to troubleshoot HTTP 405 errors is to understand what an HTTP 405 error actually means. The primary governing document for HTTP is RFC 2616, which defines the HTTP 405 status code as Method Not Allowed, and further describes this status code as a situation where «the method specified in the Request-Line is not allowed for the resource identified by the Request-URI.» In other words, the HTTP verb is not allowed for the specific URL that an HTTP client has requested.
As a brief review, here are several of the most-used HTTP methods as defined in RFC 2616, RFC 4918, and RFC 5789:
| HTTP Method | Description |
|---|---|
| GET | This method is used to retrieve data from a URI, and it probably the most-used HTTP method. |
| HEAD | This method is much like the GET method, except that it doesn’t actually retrieve the data from the request URI — it simply retrieves the HTTP status. |
| POST | This method is typically used to send new data to the URI; POST is often used to submit form data. |
| PUT | This method is typically used to send raw data to the URI; PUT is often used to submit JSON or XML data to Web API applications. |
| DELETE | This method is used to remove data from a URI. |
| OPTIONS | This method is typically used to retrieve the list of HTTP methods that are supported for a URI. |
| COPY MOVE | These two methods are used with WebDAV, and their purpose is self-explanatory. |
| MKCOL | This method is used with WebDAV, and it is used to create a collection (e.g. a directory) at the specified URI. |
| PROPFIND PROPPATCH | These two methods are used with WebDAV, and they are used to query or set properties for a URI. |
| LOCK UNLOCK | These two methods are used with WebDAV, and they are used to lock/unlock the resource identified by the request URI when authoring. |
| PATCH | This method is used to modify an existing HTTP resource. |
When one of these HTTP methods is configured for use on the server, the server will respond with the HTTP status and other data that is appropriate for the request. (For example, a GET method might receive an HTTP 200 OK response, and a PUT method might receive an HTTP 201 Created response.)
If the HTTP method is not configured for use on the server, the server will respond with an HTTP 501 Not Implemented error.
However, when an HTTP method is configured for use on the server, but it has been disabled for a given URI, the server will respond with an HTTP 405 Method Not Allowed error.
Example HTTP 405 error
The following example HTTP request and response illustrate a situation where an HTTP client is attempting to PUT value to a Web API app on a web server, and the server returns an HTTP error which states that the PUT method is not allowed:
HTTP Request:
[!code-consoleMain]
HTTP Response:
[!code-consoleMain]
In this example, the HTTP client sent a valid JSON request to the URL for a Web API application on a web server, but the server returned an HTTP 405 error message which indicates that the PUT method was not allowed for the URL. In contrast, if the request URI did not match a route for the Web API application, the server would return an HTTP 404 Not Found error.
Resolve HTTP 405 errors
There are several reasons why a specific HTTP verb may not be allowed, but there is one primary scenario that is the leading cause of this error in IIS: multiple handlers are defined for the same verb/method, and one of the handlers is blocking the expected handler from processing the request. By way of explanation, IIS processes handlers from first to last based on the order handler entries in the applicationHost.config and web.config files, where the first matching combination of path, verb, resource, etc., will be used to handle the request.
The following example is an excerpt from an applicationHost.config file for an IIS server that was returning an HTTP 405 error when using the PUT method to submit data to a Web API application. In this excerpt, several HTTP handlers are defined, and each handler has a different set of HTTP methods for which it is configured — the last entry in the list is the static content handler, which is the default handler that is used after the other handlers have had a chance to examine the request:
[!code-xmlMain]
In the preceding example, the WebDAV handler and the Extension-less URL Handler for ASP.NET (which is used for Web API) are clearly defined for separate lists of HTTP methods. Note that the ISAPI DLL handler is configured for all HTTP methods, although this configuration will not necessarily cause an error. However, configuration settings like this need to be considered when troubleshooting HTTP 405 errors.
In the preceding example, the ISAPI DLL handler was not the problem; in fact, the problem was not defined in the applicationHost.config file for the IIS server — the problem was caused by an entry that was made in the web.config file when the Web API application was created in Visual Studio. The following excerpt from the application’s web.config file shows the location of the problem:
[!code-xmlMain]
In this excerpt, the Extension-less URL Handler for ASP.NET is redefined to include additional HTTP methods that will be used with the Web API application. However, since a similar set of HTTP methods is defined for the WebDAV handler, a conflict occurs. In this specific case, the WebDAV handler is defined and loaded by IIS, even though WebDAV is disabled for the website that includes the Web API application. During the processing of an HTTP PUT request, IIS calls the WebDAV module since it is defined for the PUT verb. When the WebDAV module is called, it checks its configuration and sees that it is disabled, so it will return an HTTP 405 Method Not Allowed error for any request that resembles a WebDAV request. To resolve this issue, you should remove WebDAV from the list of HTTP modules for the website where your Web API application is defined. The following example shows what that might look like:
[!code-xmlMain]
This scenario is often encountered after an application is published from a development environment to an IIS production environment, and this occurs because the list of handlers/modules is different between your development and production environments. For example, if you are using Visual Studio 2012 or later to develop a Web API application, IIS Express is the default web server for testing. This development web server is a scaled-down version of the full IIS functionality that ships in a server product, and this development web server contains a few changes that were added for development scenarios. For example, the WebDAV module is often installed on a production web server that is running the full version of IIS, although it may not be in use. The development version of IIS, (IIS Express), installs the WebDAV module, but the entries for the WebDAV module are intentionally commented out, so the WebDAV module is never loaded on IIS Express unless you specifically alter your IIS Express configuration settings to add WebDAV functionality to your IIS Express installation. As a result, your web application may work correctly on your development computer, but you may encounter HTTP 405 errors when you publish your Web API application to your production IIS web server.
- Indicates the specific functionality has not been implemented on the server.
- Typically means that there is no handler defined in your IIS settings which matches the HTTP request:
- Probably indicates that something was not installed correctly on IIS or
- Something has modified your IIS settings so that there are no handlers defined that support the specific HTTP method.
To resolve that issue, you would need to reinstall any application that is attempting to use an HTTP method for which it has no corresponding module or handler definitions.
Summary
HTTP 405 errors are caused when an HTTP method is not allowed by a web server for a requested URL. This condition is often seen when a particular handler has been defined for a specific verb, and that handler is overriding the handler that you expect to process the request.
Recently I cam across an issue when making HTTP DELETE or PUT requests to API would result in “405 method not allowed” error. After a quick research it turned out to be WebDAV component’s doing in IIS. Let’s re-create this issue locally, and learn how to solve it.
Dummy RESTful API
First, let’s create a very simple Web API for testing. I used Visual Studio 2017 with .NET Core 1.1 and went for an empty WebApi project.
And slightly modified default the default controller to create a dummy RESTful API. Controller’s code below.
Please note I am using “WebApplication4” namespace after my test solution.
IIS set up
Then published the project and set up a new site on IIS.
Make sure you have WebDAV module installed at this point. If you don’t see WebDAV module in your IIS, you need to install it in “Turn Windows Features On or Off” under Internet Information Services > World Wide Web Services > Common HTTP Features. Screenshot below.
To make IIS set up easier I’ve also used “testapi” local domain, and therefore needed to add following line to Windows hosts file:
Now you can make GET, POST, PUT, and DELETE requests to your test API using your favourite REST testing app. I used Postman. And you should get following results.
- GET – 200 “get”
- POST – 201
- PUT/DELETE – “405 method not allowed” (screenshot below)
Congratulations! We’ve just replicated the problem. Now, let’s focus on the fix.
So what is WebDAV?
Per iis.net documentation:
WebDAV is an Internet-based open standard that enables editing Web sites over HTTP and HTTPS connections.
In other words, WebDAV, if configured correctly, allows you to publish content to remote websites, therefore has a tightened security about PUT and DELETE methods to prevent accidental (or intentional:)) content modification. On one hand, it should be possible to configure WebDAV to work nicely with RESTful APIs and allow PUT and DELETE requests, however the less components and modules you have in your system, the less potential security holes you get. For example, MHTML 0-Day Vulnerability Won’t be Patched Tomorrow.
Deleting WebDAV
If you don’t need to use WebDAV, then the easiest and the best way to fix “405 method not allowed” issue is to remove WebDAV from your system. You can easily get this done in “Turn Windows Features On or Off” simply un-ticking the checkbox.
Once WebDAV is deleted, we can make PUT and DELETE calls to our test API successfully, and now the results are:
- GET – 200 “get”
- POST – 201
- PUT – 200 “put”
- DELETE – 204
All set!
Tips and Tricks
In Windows Server OS there are two different menu items for adding and removing features in Server Manager. Screenshot below.
Conclusions
In this blog post we covered setting up a sample RESTful API, installing WebDAV, replicating the “405 method not allowed” issue, and fixed it by removing WebDAV.
WebDAV can cause IIS to block PUT and DELETE calls to an application, and if you don’t use WebDAV, the best solution is to remove WebDAV from your IIS.
Symptoms
When attempting to POST to a web page in Internet Information
Services (IIS) 5.1 under Windows 2000 (Win2k) or Windows XP, you may
receive the following error:
The page cannot be displayed The page you are looking for cannot be displayed because the page address is incorrect. -------------------------------------------------------------------------------- Please try the following: If you typed the page address in the Address bar, check that it is entered correctly. Open the 127.0.0.1 home page and then look for links to the information you want. HTTP 405 - Resource not allowed Internet Information Services -------------------------------------------------------------------------------- Technical Information (for support personnel) More information: Microsoft Support
The code in the sample page that was posted might have been:
<!-- test.html EXAMPLE --> <html> <head><title>Test Post</title> </head> <body> <form method="post" action="test.html"> <input type="submit"> </form> </body></html>
Cause
The file type is not registered in the IIS script map settings (e.g. .html or .htm). IIS 5.1 only
allows HTTP requests of type to GET to unmapped files. HTTP requests of type POST, HEAD, and all others are
responded to
with a 405 resource not allowed error.
As a security note, you should always remove unused script mappings. This is the default behavior of IIS 6, which will
only serve named extensions and refuse all others.
Resolution
Add a script map for the extension. A script map associates a particular file type
with a given script module. The web server runs the module on the given file and sends the output to the browser, instead of
sending the file directly to the browser.
- Go to «Control Panel»-«Administrative Tools»-«Internet Information Services».
- Expand the tree to «COMPUTERNAME«-«Web Sites»-«Default Web Site».
- Right-click on «Default Web Site» and select «Properties». (Alternately, select «Default Web
Site» and press Alt+Enter.) - Select the «Home Directory» tab.
- Click the «Configuration» button.
- From the «Mappings» tab, select the «Add» button.
- Click the «Browse…» button, choose «Dynamic Link Libraries
*.dll» from the «Files of Type» dropdown, and select c:WINDOWSSystem32inetsrvasp.dll. - Type «.html» (without quotes) in the «Extension» box.
- Select the «Limit to:» radio button, and type in «GET, POST» (without quotes)
in the box next to it. - Click the «OK» button and close all the dialogs. (If the «OK» button is greyed out, then make sure
all the entries are correct and try clicking in the file name box.)
See the screen shot below. You must adjust the above instructions to your particular OS, web site configuration, and file
type. You can associate the file type with a
different script engine besides asp.dll, which is the ASP 3.0 script engine. There is no need to give
IWAM_COMPUTERNAME permission to the file, only IUSR_COMPUTERNAME needs NTFS
read and execute permission.
Screen Shot
More Information
Applies to
Internet Information Services (IIS) 5.1
Windows XP
Windows 2000
Links
- Microsoft Knowledge Base Article — 238461 — Error Message: 405 Method
Not Allowed when using FrontPage 2000 Server Extensions from Microsoft or Microsoft Office 2000 Server Extensions - Troubleshooting
Common IIS Errors - Microsoft Advanced Search — Search for «HTTP 405 — Resource not allowed»
Created 2004-12-16,
Last Modified 2011-07-24,
© Shailesh N. Humbad
Disclaimer: This content is provided as-is.
The information may be incorrect.