Allowed HTTP Methods

Learn how to block unwelcome requests to an endpoint by using the Allowed HTTP Methods policy in NGINX Management Suite API Connectivity Manager.

Overview

In NGINX Management Suite API Connectivity Manager (ACM), you can apply policies to an API Gateway to further enhance their configuration to meet your requirements.

When you add policies at the proxy level, they will apply to all routes configured within that proxy.

See the Learn about Policies topic for an overview of the different policy types and available policies.

About the Policy

Use the Allowed HTTP Methods policy to specify which methods you want to allow, while automatically blocking all the others. As an example, you could allow only GET requests for static content.

Before You Begin

To complete the steps in this guide, you need the following:

API Connectivity Manager is installed, licensed, and running.
You have one or more Environments with an API Gateway.
You have published one or more API Gateways.

Policy Settings

Field	Type	Possible Values	Description	Required	Default value
`allowedMethods`	array	`GET`, `PUT`, `POST`, `PATCH`, `DELETE`, `CONNECT`, `OPTIONS`, `TRACE`	This array contains all of the possible HTTP methods. Methods listed in `allowedMethods` will be accepted; any omitted methods will be blocked with a return code of `405 Method Not Allowed` (default), or a code of your choice. Note: `HEAD` requests are treated the same as `GET` requests.	Yes
`returnCode`	int	In range `400-599`	The status code to be returned if a method isn’t included in the `allowedMethods` array.	No	System assigned `405`

Applying the Policy

Follow these steps to restrict which HTTP methods clients can use to access your API. If the request’s HTTP method is not in the allowed methods list, a 405 Method Not Allowed response is returned by default, or you can specify a different error code.

Note:
By enabling the GET method, the HEAD method is also enabled.

To create an Allowed HTTP Methods policy using the REST API, send an HTTP POST request to the Proxies endpoint.

Method	Endpoint
`POST`	`/services/workspaces/{service-workspace}/proxies`

JSON request

{
  "policies": {
    "allowed-http-methods": [
      {
        "action": {
          "allowedMethods": [
            "GET",
            "PUT",
            "POST",
            "PATCH",
            "DELETE",
            "CONNECT",
            "OPTIONS",
            "TRACE"
          ],
          "returnCode": 405
        }
      }
    ]
  }
}

This JSON defines an Allowed HTTP Methods policy that specifies which HTTP methods are allowed. The listed methods (GET, PUT, POST, PATCH, DELETE, CONNECT, OPTIONS, TRACE) are all allowed, and any other methods will return a 405 Method Not Allowed response code.

To create an Allowed HTTP Methods policy using the web interface:

Go to the FQDN for your NGINX Management Suite host in a web browser and log in. Then, from the Launchpad menu, select API Connectivity Manager.
On the left menu, select Services.
Select a workspace in the list that contains the API Proxy you want to update.
On the workspace overview page, on the API Proxies tab, locate the API Proxy you want to update. Select the Actions menu (represented by an ellipsis, ...), then select Edit Proxy.
On the left menu, select API Proxy > Advanced > Policies.
On the Advanced > Policies page, on the API Proxy tab, locate Allowed HTTP Methods. Select the Actions menu (represented by an ellipsis, ...), then select Add Policy.
On the Allowed HTTP Methods form, complete the necessary fields:
- Allow following HTTP Methods: Specify the HTTP methods you want to allow. Any methods that aren’t included will be blocked.
- Custom response code for non-matching requests: Specify the status code to return for blocked methods. The default is 405 Method Not Allowed.
Select Add to apply the policy to the API proxy.
Select Save and Publish to deploy the configuration to the API Proxy.