Whitelisting HTTP MethodsΒΆ

If your API is to adhere to the Richardson Maturity Model’s level 2 or higher, you will be using HTTP verbs to interact with it: GET, POST, PUT, DELETE, and PATCH being the most common. However, based on the resource and whether or not the end point is a collection, you may want to allow different HTTP methods. How can you do that? and how do you enforce it?

HTTP provides functionality around this topic via another HTTP method, OPTIONS, and a related HTTP response header, Allow.

Calls to OPTIONS are non-cacheable, and may provide a response body if desired. They _should_ emit an Allow header, however, detailing which HTTP request methods are allowed on the current URI.

Consider the following request:

OPTIONS /api/user
Host: example.org

with its response:

HTTP/1.1 200 OK
Allow: GET, POST

This tells us that for the URI /api/user, you may emit either a GET or POST request.

What happens if a malicious user tries something else? You should respond with a “405 Not Allowed” status, and indicate what _is_ allowed:

HTTP/1.1 405 Not Allowed
Allow: GET, POST

PhlyRestfully bakes this into its PhlyRestfully\ResourceController implementation, allowing you to specify via configuration which methods are allowed both for collections and individual resources handled by the controller.