Search code, repositories, users, issues, pull requests…
Provide feedback
Saved searches
Use saved searches to filter your results more quickly
Sign up
Overview
4xx codes generally are error responses specifying an issue at the client’s end, potentially a network issue.
- 4xx codes can be used as a response to any request method.
- Origin server should include an explanation which should be displayed by User-Agent, with the exception of a
HEADrequest - Custom rules can return any response code in the range 400-499 in your HTML page, if the site owner has created a rule with Block action and configured a custom response code. Refer to custom response](/waf/custom-rules/create-dashboard/#configuring-a-custom-response-for-blocked-requests) for more details.
The following are common 4xx codes and their definitions:
The request was not sent with the proper authentication credentials
- Server must send with at least one challenge in the form of a
WWW-Authenticateheader field according to section 4.1 - Client may send a second request with the same credentials and then if the challenge is identical to the one before, an entity will be provided by the server to help the client find what credentials are needed.
402 Payment Required (
RFC7231)
Not yet implemented by RFC standards but reserved for future use.
403 Forbidden (
RFC7231)
If you’re seeing a 403 error without Cloudflare branding, this is always returned directly from the origin web server, not Cloudflare, and is generally related to permission rules on your server. The top reasons for this error are:
- Permission rules you have set on the origin web server (in the Apache .htaccess for example)
- Mod_security rules
- IP deny rules. You need to make sure that
Cloudflare’s IP ranges aren’t being blocked
Cloudflare will serve 403 responses if the request violated either a default WAF managed rule enabled for all orange-clouded Cloudflare domains or a WAF managed rule enabled for that particular zone. Read more at WAF Managed Rules.
If you’re seeing a 403 response that contains Cloudflare branding in the response body, this is the HTTP response code returned along with many of our security features:
- WAF Custom or Managed Rules with the challenge or block action
- Security Level, that is set to Medium by default
- Most 1xxx Cloudflare error codes
- The Browser Integrity Check
404 Not Found (
RFC7231)
Origin server was unable or unwilling to find the resource requested. This usually means the host server could not find the resource. To serve a more permanent version of this error one should use a 410 error code.
These errors typically occur when someone mistypes a URL on your site when there is a broken link from another page, when a page that previously existed is moved or removed, or there is an error when a search engine indexes your site. For a typical site, these errors account for approximately 3% of the total page views, but they’re often untracked by traditional analytics platforms like Google Analytics.
Website owners usually implement a custom page to be served when this error is generated.
Cloudflare does not generate 404s for customer websites, we only proxy the request from the origin server. When seeing a 404 for your Cloudflare powered site you should contact your hosting provider for help.
405 Method Not Allowed (
RFC7231)
Origin server is aware of the requested resource, but the request method used is not supported.
- Origin server must also provide an
Allowheader with a list of supported targets for that resource.
An example would be a POST on an unchangeable resource the thus only accepts GET.
406 Not Acceptable (
RFC7231)
Resource is not available at the origin that adheres to negotiation headers that were set prior (e.g. via Accept-Charset and Accept-Language headers)
This status code can be replaced by simply serving the less preferred method to the User-Agent in lieu of generating this error.
407 Authentication Required (
RFC 7235)
The client did not send the required authentication with the request.
408 Request Timeout (
RFC7231)
The origin server did not receive the complete request in what it considers a reasonable time.
- Implied the server does not wish to wait and continue the connection.
- Not used much because servers typically choose to use the “close” connection option.
409 Conflict (
RFC7231)
The request did not complete because of a conflict with the current state of the resource. Typically happens on a PUT request where multiple clients are attempting to edit the same resource.
- The server should generate a payload that includes enough information for the client to recognize the source of the conflict.
- Clients can and should retry the request again
Cloudflare will generate and serve a 409 response for a
Error 1001: DNS Resolution Error.
410 Gone (
RFC7231)
The resource requested is permanently missing at the origin.
- The server is suggesting the links reference the resource should be removed.
- The server is not qualified to use this status code over a 404 response nor required to have this response for any specific period of time.
411 Length Required (
RFC7231)
Client did not define the Content-Length of the request body in the headers and this is required to obtain the resource.
- Client may resend the request after adding the header field.
412 Precondition Failed (
RFC 7232)
Server denies the request because the resource failed to meet the conditions specified by the client.
For an example of version control, a client is modifying an existing resource and thus sets the If-Unmodified-Since header to match the date that the client downloaded the resource and began edits. If the resource was edited (likely by another client) after this date and before the upload of the edits, this response will be generated since the date of the last edit will come after the date set in If-Unmodified-Since by the client.
Cloudflare will serve this response. For more information, refer to: ETag Headers
413 Payload Too Large (
RFC7231)
Refusal from the server to process the request because the payload sent from the client is larger than the server wished to accept. Server has the optional to close the connection.
- If this refusal would only happen temporarily, then the server should send a
Retry-Afterheader to specify when the client should try the request again.
414 URI Too Long (
RFC7231)
Refusal from the server that the URI was too long to be processed. For example, if a client is attempting a GET request with an unusually long URI after a POST, this could be seen as a security risk and a 414 gets generated.
Cloudflare will generate this response for a URI longer than 32KB
415 Unsupported Media Type (
RFC7231)
Refusal from the server to process the format of the current payload. One way to identify and fix this issue would be to look at the Content-Type or Content-Encoding headers sent in the client’s request.
416 Range Not Satisfiable (
RFC7233)
The 416 error response code indicates that a server cannot serve the requested ranges. For example:
HTTP/1.1 416 Range Not Satisfiable
Content-Range: bytes */12777
The most common reason is that the file doesn’t include such ranges. Browsers usually either request the entire file again or abort the operation.
417 Expectation Failed (
RFC7231)
Failure of server to meet the requirements specified in the Expect header of the client’s request.
429 Too Many Requests (
RFC6585)
Client has sent too many requests in the specified amount of time according to the server. Often known as “rate-limiting”. Server may respond with information allowing the requester to retry after a specific period of time.
Cloudflare will generate and send this status code when a request is being
rate limited. If visitors to your site are receiving these error codes, you will be able to see this in the Rate Limiting Analytics.
451 Unavailable For Legal Reason (
RFC7725)
Server is unable to deliver the resource due to legal actions.
Typically search engines (e.g. Google) and ISP (e.g. ATT) are the ones affected by this response code and not the origin server.
- The response should include an explanation is the response body with details of the legal demand.
499 Client Close Request
Nginx specific response code to indicate when the connection has been closed by the client while the server is still processing its request, making server unable to send a status code back.
- This will be shown in
Cloudflare Logs and status code analytics for Enterprise customers.
I am currently having issues making POST requests to a load-balanced backend. (The load balancer is managed by Cloudflare).
Making POST requests directly to the individual servers does not cause any trouble. Neither does making GET requests (even through the load balancer).
However, when I make a POST request through the load balancer’s URL it returns with a 405 error.
The logic I am attempting to create follows this:
request (with basic authentication) →
Cloudflare load balancer →
server →
server's localhost:<special port>
This is not my area of expertise, but I have a suspicion it has to do with my Nginx config.
Each server is configured with a proxy_pass to redirect to a specific localhost port.
Here is my <website>.com.conf:
server {
server_name <site>;
location / {
proxy_pass http://localhost:<port>;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header X-Forwarded-For $proxy_protocol_addr;
}
# ...Certbot security settings...
}
server {
if ($host = <site>) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name <site>;
listen 80;
return 404; # managed by Certbot
}
Here is the format of the type of requests I might be making:
curl --location --request POST '<Load balancer URL>' \
--header 'Authorization: <Basic Auth for Backend>' \
--header 'Content-Type: application/json' \
--data-raw '
<JSON formatted request>
'
Using the ‘-v’ flag returns this:
Note: Unnecessary use of -X or --request, POST is already inferred.
* Trying <IP>:443...
* TCP_NODELAY set
* Connected to <Load Balancer URL> (<IP>) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=<Country>; ST=<State>; L=<City>; O=Cloudflare, Inc.; CN= <...>
* start date: May 27 00:00:00 2020 GMT
* expire date: May 27 12:00:00 2021 GMT
* subjectAltName: host "<Load Balancer URL>" matched cert's "*.<...>"
* issuer: C=<Country>; O=Cloudflare, Inc.; CN=Cloudflare Inc <...>
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55f8f7998820)
> POST / HTTP/2
> Host: <Load Balancer URL>
> user-agent: curl/7.68.0
> accept: */*
> authorization: <Backend Authentication>
> content-type: application/json
> content-length: 27
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
* We are completely uploaded and fine
< HTTP/2 405
< date: Thu, 11 Mar 2021 13:58:46 GMT
< content-type: text/html
< set-cookie: __cfduid=d89c9a3af7f0a5bf4a217c57c9b2458711615471126; expires=Sat, 10-Apr-21 13:58:46 GMT; path=/; domain=<...>; HttpOnly; SameSite=Lax; Secure
< cf-cache-status: DYNAMIC
< cf-request-id: 08c32e3ef70000f03155b09000000001
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< set-cookie: __cflb=04dToTKvCmh27ted7uGQoG5sVWTpTxCb8xpz4UsNcD; SameSite=None; Secure; path=/; expires=Thu, 11-Mar-21 14:28:46 GMT; HttpOnly
< strict-transport-security: max-age=15552000; includeSubDomains; preload
< x-content-type-options: nosniff
< server: cloudflare
< cf-ray: 62e54cab2d88f031-EWR
<
<html>
<head><title>405 Not Allowed</title></head>
<body>
<center><h1>405 Not Allowed</h1></center>
<hr><center>nginx/1.18.0 (Ubuntu)</center>
</body>
</html>
* Connection #0 to host rpc-testnet.diviproject.org left intact
This is my nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_names_hash_bucket_size 64;
include /etc/nginx/mime.types;
default_type application/octet-stream;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
gzip on;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
And there are no syntactical errors:
nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
I know I might be missing something obvious, but despite my research, I could not find anything on this subject. Any help would be greatly appreciated.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
- Pick a username
- Email Address
- Password
By clicking “Sign up for GitHub”, you agree to our terms of service and
privacy statement. We’ll occasionally send you account related emails.
Already on GitHub?
Sign in
to your account
Jun 8, 2022 10:44:17 AM |
405 Method Not Allowed: What It Is and How to Fix It
An overview of what a 405 Method Not Allowed response is, including troubleshooting tips to help you resolve this error in your own application.
The 405 Method Not Allowed is an HTTP response status code indicating that the server received and recognized the specified request HTTP method, but the server rejected that particular method for the requested resource. This code response confirms that the requested resource is valid and exists, but the client has used an unacceptable HTTP method during the request.
Like most HTTP response codes — especially for those that indicate an error — it can be challenging to find the cause of a 405 Method Not Allowed response.
In this article, we’ll examine the 405 Method Not Allowed in more detail. We’ll look at what might cause this message, along with a handful of tips for diagnosing and debugging the appearance of this error within your application. We’ll also examine popular content management systems (CMSs) for potential problem areas that could cause an unexpected 405 Method Not Allowed.
Server- or Client-Side?
All HTTP response status codes in the 4xx category are client error responses. This category contrasts with 5xx classification errors, such as the 503 Service Unavailable Error. These are server error responses. That said, the appearance of a 4xx error doesn’t necessarily mean the issue is on the client-side, where the “client” is the web browser or device being used to access the application.
If you’re trying to diagnose an issue within your application, you can ignore most client-side code and components, such as HTML, cascading style sheets (CSS), client-side JavaScript, etc. This doesn’t apply solely to websites, either. Standard web applications power many smartphone apps that implement a modern-looking user interface.
On the other hand, this doesn’t entirely rule out the server as the actual cause of a 405 error. In some cases, the server may be mishandling requests. This could result in 405 code responses and other problematic traffic routing issues. We’ll explore some of these scenarios (and potential solutions) below. Be aware that, even though the 405 Method Not Allowed is considered a client error response, it doesn’t inherently mean we can rule out the client or the server as the culprit.
Start With a Thorough Application Backup
It is critical that you perform a complete backup of your application before attempting any fixes to the system.
Even better, create a complete copy of the application onto a secondary staging server that isn’t active. This will give you a clean testing ground to test all potential fixes without threatening your live application.
Diagnosing a 405 Method Not Allowed
As discussed in the introduction, a 405 Method Not Allowed indicates that the user agent (the web browser, in most cases) has requested a valid resource using an invalid HTTP method.
This could happen in a few different circumstances:
- The user agent accidentally sent an incorrect HTTP method
- The server is expecting only a handful of valid HTTP methods for the requested resource
Currently, there are nine possible HTTP methods, though some of them are far more prevalent than others. For example, the GET method handles most requests made on the Internet to retrieve data (i.e. “get” a page or resource). The POST method is the second-most common, and it’s typically used to send data to the server (such as login credentials).
Since each possible HTTP method has its own intended uses, it often doesn’t make sense for a server to accept requests using specific methods for particular resources. For example, a resource might exist at the URL https://airbrake.io/users/create, where the server creates a new user when valid credentials are sent via a POST HTTP method request. Therefore, it makes no sense for the server to accept a GET request at that resource/URL, so it may respond with a 405 Method Not Allowed code.
Troubleshooting on the Client-Side
Since the 405 response is a client error response code, it’s best to start troubleshooting any potential client-side issues. Here are a handful of tips to try on the browser or device giving you problems.
Check the Requested URL
The most common cause of a 405 Method Not Allowed is simply inputting an incorrect URL. As discussed before, many web servers will disallow access to improper URLs.
This could be anything from trying to access a file directory via a URL to gaining access to a private page meant for other users. Double-check the exact URL returning the 405 Method Not Allowed error.
Debugging Common Platforms
If you’re running common software packages on the server responding with the 405 Method Not Allowed, you may want to look into the stability and functionality of those platforms.
The most common content management systems (CMSs) — like WordPress, Joomla!, and Drupal — are typically well-tested. Once you start making modifications to the underlying extensions or PHP code, it’s easy to cause unforeseen issues resulting in a 405 error.
Troubleshoot some of these popular software platforms using the tips below.
Rollback Recent Upgrades
Suppose you recently updated the content management system before the 405 Method Not Allowed appeared. You may want to consider rolling back to the previous version you had installed when things were working fine.
Similarly, any extensions or modules you may have recently upgraded can also cause server-side issues, so reverting to previous versions may also help.
Simply Google “downgrade [PLATFORM_NAME] for assistance with this task.” In some cases, however, certain CMSs don’t provide a version downgrade capability, which indicates that they consider the base application and each new version released to be stable and bug-free.
Uninstall New Extensions, Modules, or Plugins
New extensions, modules, and plugins within your CMS all serve the same purpose across every system: improving the capabilities and features of the platform beyond what it’s typically capable of out of the box.
A word of caution: such extensions can take complete control of the system and make virtually any changes. As such, it may be wise to uninstall any new extensions if you suddenly see a 405 error.
Check for Unexpected Database Changes
It’s worth noting that, even if you uninstall an extension through the CMS dashboard, this doesn’t guarantee that changes made by the extension will fully revert. This is particularly true for many WordPress extensions. Some of these extensions are given carte blanche within the application, including full access rights to the database.
For example, some extensions modify database records that don’t “belong” to the extension itself but are instead created and managed by other extensions (or even the base CMS itself). The extension may not know how to revert alterations to database records, so it will ignore such things during uninstallation.
Your best course of action is to open the database and manually look through records that the extension modified.
Troubleshooting on the Server-Side
If you aren’t running a CMS application — or even if you are, but you’re confident the 405 Method Not Allowed error isn’t related to that — here are some additional tips to help you troubleshoot what might be causing the issue on the server-side of things.
Confirm Your Server Configuration
Your application is likely running on a server using one of these three popular webserver software: Apache, nginx, or Cloudflare. At the time of publication, these web servers make up over 86% of the world’s web server software! Check your configuration files for your web server software for unintentional redirect or request handling instructions.
Apache
To determine which web server your application uses, look for a key file. If your web server is Apache, look for an .htaccess file within the root directory of your website file system.
For example, if your application is on a shared host, you’ll likely have a username associated with the hosting account. You can find the application root directory at the path of /home/<username>/public_html/, so the .htaccess file would be at /home/<username>/public_html/.htaccess.
Once you’ve located the .htaccess file, open it in a text editor. Look for lines that use RewriteXXX directives, which are part of the mod rewrite module in Apache. Covering exactly how these rules work is well beyond the scope of this article. However, the basic concept is that a RewriteCond directive defines a text-based pattern that is matched against entered URLs. Suppose a visitor requests a matching URL to the site. In that case, the RewriteRule directive that follows one or more RewriteCond directives is used to perform the actual redirection of the request to the appropriate URL.
For example, here is a simple RewriteRule that matches all incoming GET requests to https://airbrake.io/users/create and responds with a 405 Method Not Allowed error code:
RewriteEngine on
RewriteCond %{REQUEST_URI} ^/users/create/?.*$
RewriteCond %{REQUEST_METHOD} =GET
RewriteRule ^(.*)$ https://airbrake.io/users/new$1 [R=405,L]
Notice the R=405 flag at the end of the RewriteRule, which explicitly states that the response code should be 405. This indicates to user agents that the resource exists, but the provided HTTP method is not allowed. If you find any strange RewriteCond or RewriteRuledirectives in the .htaccess file that doesn’t belong, try temporarily commenting them out (using the # character prefix) and restarting your web server to see if this resolves the issue.
nginx
On the other hand, if your server is running on nginx, you’ll need to look for a completely different configuration file. By default this file is named nginx.conf. It’s located in one of a few common directories: /usr/local/nginx/conf, /etc/nginx, or /usr/local/etc/nginx.
Once located, open nginx.conf in a text editor and look for directives that are using the 405 response code flag. For example, here is a simple block directive (i.e. a named set of directives) that configures a virtual server for airbrake.io and ensures that a POST request to https://airbrake.io/users/create fails and is responded with a 405 response code:
server {
listen 80;
listen 443 ssl;
server_name airbrake.io;
location /users/create {
if ($request_method = POST) {
return 405 https://airbrake.io/users/create$request_uri;
}
}
}
Look through your nginx.conf file for any abnormal directives or lines that include the 405 flag. Comment out any abnormalities. Once that’s done, restart the server and see if the issue is resolved.
Configuration options for each different type of web server can vary dramatically. We’ll just list a few popular ones to give you some resources to look through:
- Apache
- Nginx
- Cloudflare
- IIS
- Node.js
- Apache Tomcat
Look Through the Logs
Nearly every web application will keep some form of server-side logs. Application logs are typically the history of what the application did, such as pages requested, connected servers, database results, etc.
Server logs are related to the actual hardware running the application. Logs will often provide details about the health and status of all connected services or the server itself.
Google “logs [PLATFORM_NAME]” if you’re using a CMS, or “logs [PROGRAMMING_LANGUAGE]” and “logs [OPERATING_SYSTEM]” if you’re running a custom application to get more information on finding the logs in question.
Debug Your Application Code or Scripts
If all else fails, it may be a problem in some custom code within your application. Manually debug your application and parse through application and server logs to diagnose where the issue may be coming from. Or, you can see the error in a manner of seconds using an error monitoring tool.
Airbrake’s error and performance monitoring software provides real-time error monitoring and automatic exception reporting for all development projects. In addition to this, Airbrake integrates with all popular languages and frameworks. Plus, Airbrake makes it easy to customize exception parameters, so you only gather the errors that matter.
See why so many of the world’s best engineering teams use Airbrake to revolutionize their exception handling practices and create your free dev account today.
Note: We published this post in January 2018 and recently updated it in June 2022.