Allowed HTTP Methods
Learn how to block unwelcome requests to an endpoint by using the Allowed HTTP Methods policy in NGINX Management Suite API Connectivity Manager.
Overview
In NGINX Management Suite API Connectivity Manager (ACM), you can apply policies to an API Gateway to further enhance their configuration to meet your requirements.
When you add policies at the proxy level, they will apply to all routes configured within that proxy.
See the Learn about Policies topic for an overview of the different policy types and available policies.
About the Policy
Use the Allowed HTTP Methods policy to specify which methods you want to allow, while automatically blocking all the others. As an example, you could allow only GET
requests for static content.
Before You Begin
To complete the steps in this guide, you need the following:
- API Connectivity Manager is installed, licensed, and running.
- You have one or more Environments with an API Gateway.
- You have published one or more API Gateways.
Policy Settings
Field | Type | Possible Values | Description | Required | Default value |
---|---|---|---|---|---|
allowedMethods |
array | GET , PUT , POST , PATCH , DELETE , CONNECT , OPTIONS , TRACE |
This array contains all of the possible HTTP methods. Methods listed in Note: |
Yes | |
returnCode |
int | In range 400-599 |
The status code to be returned if a method isn’t included in the allowedMethods array. |
No | System assigned 405 |
Applying the Policy
Follow these steps to restrict which HTTP methods clients can use to access your API. If the request’s HTTP method is not in the allowed methods list, a 405 Method Not Allowed
response is returned by default, or you can specify a different error code.
Note:
By enabling theGET
method, theHEAD
method is also enabled.
To create an Allowed HTTP Methods policy using the REST API, send an HTTP POST
request to the Proxies endpoint.
Method | Endpoint |
---|---|
POST |
/services/workspaces/{service-workspace}/proxies |
JSON request
{
"policies": {
"allowed-http-methods": [
{
"action": {
"allowedMethods": [
"GET",
"PUT",
"POST",
"PATCH",
"DELETE",
"CONNECT",
"OPTIONS",
"TRACE"
],
"returnCode": 405
}
}
]
}
}
This JSON defines an Allowed HTTP Methods policy that specifies which HTTP methods are allowed. The listed methods (GET
, PUT
, POST
, PATCH
, DELETE
, CONNECT
, OPTIONS
, TRACE
) are all allowed, and any other methods will return a 405 Method Not Allowed
response code.
To create an Allowed HTTP Methods policy using the web interface:
-
Go to the FQDN for your NGINX Management Suite host in a web browser and log in. Then, from the Launchpad menu, select API Connectivity Manager.
-
On the left menu, select Services.
-
Select a workspace in the list that contains the API Proxy you want to update.
-
On the workspace overview page, on the API Proxies tab, locate the API Proxy you want to update. Select the Actions menu (represented by an ellipsis,
...
), then select Edit Proxy. -
On the left menu, select API Proxy > Advanced > Policies.
-
On the Advanced > Policies page, on the API Proxy tab, locate Allowed HTTP Methods. Select the Actions menu (represented by an ellipsis,
...
), then select Add Policy. -
On the Allowed HTTP Methods form, complete the necessary fields:
- Allow following HTTP Methods: Specify the HTTP methods you want to allow. Any methods that aren’t included will be blocked.
- Custom response code for non-matching requests: Specify the status code to return for blocked methods. The default is
405 Method Not Allowed
.
-
Select Add to apply the policy to the API proxy.
-
Select Save and Publish to deploy the configuration to the API Proxy.