What Is a 405 Error Code and How To Fix It

Among all HTTP responses, the 405 error is one of the most common during API integrations, form wiring, and custom routing. It’s especially relevant for anyone working with server-side requests: developers, integrators, and technical specialists. The problem occurs when the web server software receives a syntactically valid request, but the method used is not allowed for the specific resource – for example, a POST instead of an allowed GET.

This article explains what the 405 error code means, the typical causes behind it, and how to fix it in different contexts – from a client request to server configuration.

405 Error: Meaning

A 405 error is returned when a web server receives a valid request but rejects it because the HTTP method is not permitted. The resource exists and the path is correct, but the action – such as TRACE (debugging) or DELETE (removing a resource) – is disallowed for that route.

The server includes an Allow header indicating which methods are permitted for the resource. It won’t show up on the page, but you can see it:

• in your browser’s developer tools: Network tab → select the failing request → Response Headers;
• in debugging consoles when using tools like cURL, Postman, or an HTTP client in your IDE;
• in the logs if HTTP header logging is enabled.

Example header:

Allow: GET, HEAD

This response is produced by configuration or application logs and routing rules. It’s often used to protect interfaces, restrict APIs, or filter actions according to predefined logic.

What are HTTP 405 Error Causes?

When troubleshooting, keep in mind that a 405 can be triggered at multiple layers – from server settings to intermediary filters. Pinpoint where the request was blocked before you start changing things.

An Unsupported HTTP Method

The client uses a request method that the target resource doesn’t accept. For instance, sending POST (data submission) instead of allowing GET (data retrieval). This often happens when wiring HTML forms, writing API calls, or using nonstandard libraries.

Web Server Configuration Limits

NGINX, LiteSpeed, Caddy, or Apache can be configured to block specific HTTP request types for certain directories or files. These restrictions are defined at the configuration level and enforced by access policies for routes.

WAF Rules

A Web Application Firewall (WAF) may block methods like PUT, DELETE, or OPTIONS as potentially risky. This is common on managed hosting, especially with cloud solutions or services that ship with traffic filters enabled.

API Incompatibility

Some APIs only support specific HTTP request types. Using an unsupported one results in a 405 error Method Not Allowed response. For example, calling PUT where only POST is permitted. This is typical with REST interfaces.

Plugin or CMS Conflicts

In CMSs and frameworks, failures often appear after installing a WordPress plugin that affects routing or security. For example, WordPress may restrict PUT and DELETE under certain configurations.

Redirects That Don’t Preserve the Method

If the server or an intermediary (e.g., .htaccess or middleware) performs a redirect without preserving the original request type (turning POST into GET), the new request may be rejected. This is especially common when switching between HTTP and HTTPS, or normalizing trailing slashes.

Reverse Proxy or CDN Restrictions

A reverse proxy is an intermediary that receives client HTTP requests and forwards them to the application, possibly applying caching, compression, or filtering (e.g., NGINX, HAProxy, Cloudflare).

A CDN distributes content across geographically close edge locations. Many CDNs provide security and filtering features, including method restrictions.

If PUT, DELETE, or PATCH are blocked in the proxy or CDN configuration, the request can be rejected before it ever reaches your app, resulting in a 405.

Application Routing Errors

Frameworks and libraries can return a HTTP error 405 when a route exists but has no handler for the current request type. For example, /data is configured for GET only, but the client sends POST. This is common in REST frameworks with explicit routing.

How To Fix HTTP 405 Error

The fix depends on the layer where the rejection occurs:

• Client – The request uses a disallowed request type. Update the form, script, or API call.
• Application – No handler is configured for the method. Add or adjust routes and controllers.
• Server – The method is blocked by web server configuration. Review and update settings, and inspect access/error logs to see where the request was rejected.
• Intermediaries – A WAF, CDN, or proxy enforces the restriction. Adjust their policy or contact support.

Accurately identifying the layer lets you go straight to the relevant settings and avoid unnecessary debugging.

1) Verify You’re Using the Correct Method

Symptoms: After submitting a form, calling an API, or running a script, the page doesn’t perform the expected action. The browser may show a 405 error despite a correct URL.

What to do:

• Check which method the request uses.
• Compare it with the API docs or your server’s routing rules.
• Ensure the form, script, or client code sends an allowed method.
• Change the method if it doesn’t match the permitted set.

Example: If an HTML form uses method="PUT" but the server accepts only POST, change PUT to POST.

On the client side, the issue may persist due to browser behavior or extensions. Testing another browser and disabling filters/plugins helps rule out client-side interference.

2) Unblock HTTP Methods in the Web Server Configuration

Symptoms: Some actions don’t work even though the rest of the site behaves normally – for instance, a form won’t submit while pages load fine. The server might display a default placeholder page.

How to fix:

• Review configuration files: .htaccess, nginx.conf, web.config, and others.
• Find directives that restrict HTTP request types (e.g., Limit, LimitExcept, request_method).
• Remove or adjust rules that block required methods.
• Apply changes and restart the web server.

Example: If .htaccess contains <Limit POST> that blocks POST, remove it or change to <LimitExcept POST>.

3) Check WAF or Firewall Restrictions

Symptoms: Certain forms or API calls return a 405 error that resubmitting doesn’t fix, while other site features work fine.

Steps:

• Open your WAF control panel.
• Locate any active rule that limits HTTP request types.
• Allow the required method or add an exception for the affected route.
• Save changes and retest.

Example: In Cloudflare, disable a rule that blocks PUT, or add /api/upload to an allowlist.

4) Confirm Supported Methods in the API Documentation

Symptoms: When working with an API, a request to a valid endpoint returns a 405, while other calls to the same resource succeed.

What to do:

• Check the API docs for the allowed methods per endpoint.
• Make sure the API actually supports the method you’re using.
• Update the client, script, or UI configuration accordingly.

Example: If only GET is allowed for /api/data but your script runs fetch('/api/data', { method: 'POST' }), change POST to GET.

5) Review CMS Plugins and Routes

Symptoms: After installing or updating an extension, clicking a button no longer triggers the expected action—the page remains unchanged.

What to do:

• Disable the most recently activated extension.
• Clear the CMS and browser caches.
• Review routing and allowed request types.
• Re-enable modules one by one to identify the culprit.

Example: In WordPress, after installing a “Security XYZ” plugin, a form stops working. Disabling that plugin restores functionality.

Note: In a CMS, also confirm the issue isn’t due to database table availability. If needed, use phpMyAdmin to diagnose with CHECK TABLE or the builtin “check/repair” option.

6) Configure Redirects Without Changing the HTTP Method

Symptoms: After a new page loads, interactions stop working: a form never submits, an action isn’t processed, and clicking a button has no effect.

Steps:

• Verify whether the method is preserved across redirects (via DevTools or cURL).
• Use a 307 redirect instead of 301/302 when you must preserve the original method.
• Ensure the destination route accepts the required request type.
• Update .htaccess, nginx.conf, or middleware, and confirm rewrite rules don’t change the method during redirects.

Example: If NGINX has return 301 /new-url; and the original request was POST, the redirect will turn it into GET. Use 307 to preserve POST.

7) Allow Required Methods in the Proxy or CDN

Symptoms: Some actions fail: the page loads, but clicking a button or submitting data has no effect.

How to fix:

• Check whether a reverse proxy (e.g., Cloudflare, HAProxy) or a CDN is in use.
• Review their HTTP request type filtering settings.
• Allow required methods (PUT, DELETE, PATCH) in the control panel.

Example: If the site uses Cloudflare, go to Security → WAF → Tools and check for 405 error messages, then add a rule that allows PATCH for all paths starting with /api/.

8) Add a Handler for the Required Method

Symptoms: The page loads, but interactive actions – such as submitting a form or clicking a button – don’t produce the expected result.

How to fix:

• Review route configuration and allowed methods.
• Add support for the required method in the controller/handler.
• Ensure the route explicitly accepts the method being sent.
• Test locally and commit the change.

Example (Express.js): If only app.get('/login', ...) exists but the form submits POST, add:

app.post('/login', (req, res) => { /* login logic */ });

How to Prevent 405 Responses on Your Site

To avoid 405 errors, account for method restrictions and correctly configure the web server, application, and intermediaries.

Conclusion

HTTP 405 error is not a sign of a system-wide failure; it’s a signal that the request method doesn’t match what the server or application expects. To fix it, determine where the block occurs and adjust the configuration. The earlier these nuances are considered during development or setup, the more stable your web application will be.

FAQ

Can “Method Not Allowed” be temporary?

Yes. For example, during server configuration changes or CMS plugin updates. In that case, resolve the conflict or roll back the settings.

How do 405, 404, and 403 differ?

A 405 means the path exists but the method is not allowed. A 403 indicates access is forbidden. A 404 means the resource doesn’t exist.

Can the browser cause the 405 error?

Indirectly, yes. Some extensions or browser caches can modify or rewrite methods – especially during redirects or when a form uses nonstandard attributes.

Do all proxies and CDNs support the same methods?

No. Some services block PATCH, PUT, and DELETE by default. Review filtering and security settings for each service you use.