HTTP Verbs PUT and DELETE: 405 Method not allowed - how to allow?

Question

I've been trying all the suggested workarounds for ASP.NET to be able to address my REST web service by HTTP Methods PUT and DELETE. However, none of them seems to work. (i.e. removing WebDAV handler or allowing all verbs to ExtensionlessHandler).

What's required in ASP.NET Core Web API (on IIS) to allow those two verbs (HTTP PUT and DELETE)?

PS: I've configured our Web API project using CORS, yet I'm accessing the web service from a web page on the same origin. So it's not a CORS issue, either.

Answer 1

A day after, I now found the cause for this error. The following reasons caused this error to happen:

1. There was a typo in the PUT call, so the Web API method wasn't called. After fixing that, the following two issues had to be fixed:
2. It wasn't sufficient to prefix the Web API methods with the method and omit the corresponding attributes ([HttpPut], [HttpDelete]). So, these attributes had to be applied (this is particular to ASP.NET Core).
3. It wasn't sufficient to provide the above attributes to the methods. It was required to provide the methods' address (and query string, resp.) parameters for these attributes ([HttpPut("{id}")], [HttpDelete("id")]), too. (This is particular to ASP.NET Core.)

See ASP.NET Core Web API: Routing by method name? .

I believe "405 Method not allowed" to be quite an inappropriate error message. It doesn't reflect any of the above three reasons and is very confusing.

I, moreover, believe that "400 Bad Request", "404 Not Found", or - rather - "501 Not Implemented" would have been rather more appropriate HTTP return states.

I created a GitHub issue on this:
"405: Method not allowed" = Misleading error message ? Replace with better HTTP status code

Answer 2

This took me hours to figure out. I'm using ASP.NET Core 5 and there is no need to modify the web.config to remove WebDav or anything. I believe most people didn't realize the differences of the signature of POST method and PUT, DELETE method.

• POST method URL: http://servername/api/controller
• PUT and DELETE method URL: http://servername/api/controller/id

Notes that you have to put id in the URL for PUT and DELETE. Good luck.

Answer 3

@AxD explained very well. In my case following is the problem.

[HttpDelete("{cardioId:length(24)}")]
public async Task<IActionResult> Delete([FromBody] string cardioId)

Mistakenly while copy and pasting code I forgot to change [FromBody] to [FromRoute] which causing this 405 Method Not Allowed error which is really inappropriate.

Please double check this kind of mistakes when you are facing such kind of errors.

Answer 4

In case someone has a brain fart like me, don't forget that in a web browser you are making a GET request. So trying to access your PUT endpoint from a browser is going to give you this issue. You can use a tool like Postman. And don't forget to actually change the request type from GET to PUT in Postman!

Answer 5

I was facing this problem testing a .NET 6 RESTful Web API using Postman and REST Client VSCode extension. After checking my code, I find out that I had to add CORS to the pipeline of my web application. This is the piece of code to add CORS:

...
builder.Services.AddCors(c =>
{
    c.AddPolicy("AllowOrigin", options => options.AllowAnyOrigin());
});
...
app.UseCors(options => options.AllowAnyOrigin());

Have a nice coding!