Allowed HTTP Methods

Learn how to block unwelcome requests to an endpoint by using the Allowed HTTP Methods policy in NGINX Management Suite API Connectivity Manager.

Overview

In API Connectivity Manager, you can apply policies to an API Gateway to further enhance their configuration to meet your requirements.

Policies added at the proxy level are applied to all routes within that proxy.

For an overview of the different policy types and available policies, refer to the consult the Learn about Policies topic.

About Allow HTTP Methods Policy

Use the Allowed HTTP Methods policy to specify which methods you want to allow, while automatically blocking all the others. As an example, you could allow only GET requests for static content.

Intended Audience

This guide is meant for Infrastructure Administrators.

Infrastructure Administrators ensure uniform governance across an organization’s infrastructure by setting policies at the infrastructure level, enabling teams to build APIs without interruption while adhering to the organization’s standards.

Before You Begin

To complete the steps in this guide, you need the following:

API Connectivity Manager is installed, licensed, and running.
You have one or more Environments with an API Gateway.
You have published one or more API Gateways.

Policy Settings

Field	Type	Possible Values	Description	Required	Default value
`allowedMethods`	array	`GET`, `PUT`, `POST`, `PATCH`, `DELETE`, `CONNECT`, `OPTIONS`, `TRACE`	This array contains all of the possible HTTP methods. Methods listed in `allowedMethods` will be accepted; any omitted methods will be blocked with a return code of `405 Method Not Allowed` (default), or a code of your choice. Note: `HEAD` requests are treated the same as `GET` requests.	Yes
`returnCode`	int	In range `400-599`	The status code to be returned if a method isn’t included in the `allowedMethods` array.	No	System assigned `405`

Applying the Policy

Follow these steps to restrict which HTTP methods clients can use to access your API. If the request’s HTTP method is not in the allowed methods list, a 405 Method Not Allowed response is returned by default, or you can specify a different error code.

Note:
By enabling the GET method, the HEAD method is also enabled.

See Also:
You can use tools such as curl or Postman to interact with the API Connectivity Manager REST API. The API URL follows the format https://<NMS_FQDN>/api/acm/<API_VERSION> and must include authentication information with each call. For more information about authentication options, please refer to the API Overview.

To create an Allowed HTTP Methods policy using the REST API, send an HTTP POST request to the Proxies endpoint.

Method	Endpoint
`POST`	`/services/workspaces/{service-workspace}/proxies`

JSON request

{
  "policies": {
    "allowed-http-methods": [
      {
        "action": {
          "allowedMethods": [
            "GET",
            "PUT",
            "POST",
            "PATCH",
            "DELETE",
            "CONNECT",
            "OPTIONS",
            "TRACE"
          ],
          "returnCode": 405
        }
      }
    ]
  }
}

This JSON defines an Allowed HTTP Methods policy that specifies which HTTP methods are allowed. The listed methods (GET, PUT, POST, PATCH, DELETE, CONNECT, OPTIONS, TRACE) are all allowed, and any other methods will return a 405 Method Not Allowed response code.

To create an Allowed HTTP Methods policy using the web interface:

In a web browser, go to the FQDN for your NGINX Management Suite host and log in. Then, from the Launchpad menu, select API Connectivity Manager.
On the left menu, select Services.
Select a workspace in the list that contains the API Proxy you want to update.
On the workspace overview page, on the API Proxies tab, locate the API Proxy you want to update. Select the Actions menu (represented by an ellipsis, ...), then select Edit Proxy.
On the left menu, select API Proxy > Advanced > Policies.
On the Advanced > Policies page, on the API Proxy tab, locate Allowed HTTP Methods. Select the Actions menu (represented by an ellipsis, ...), then select Add Policy.
On the Allowed HTTP Methods form, complete the necessary fields:
- Allow following HTTP Methods: Specify the HTTP methods you want to allow. Any methods that aren’t included will be blocked.
- Custom response code for non-matching requests: Specify the status code to return for blocked methods. The default is 405 Method Not Allowed.
Select Add to apply the policy to the API proxy.
Select Save and Publish to deploy the configuration to the API Proxy.