405 method not allowed in IIS

Recently I cam across an issue when making HTTP DELETE or PUT requests to API would result in “405 method not allowed” error. After a quick research it turned out to be WebDAV component’s doing in IIS. Let’s re-create this issue locally, and learn how to solve it.

Dummy RESTful API

First, let’s create a very simple Web API for testing. I used Visual Studio 2017 with .NET Core 1.1 and went for an empty WebApi project.

new web api .net core

And slightly modified default the default controller to create a dummy RESTful API. Controller’s code below.

Please note I am using “WebApplication4” namespace after my test solution.

IIS set up

Then published the project and set up a new site on IIS.

IIS 10 with test api

Make sure you have WebDAV module installed at this point. If you don’t see WebDAV module in your IIS, you need to install it in “Turn Windows Features On or Off” under Internet Information Services > World Wide Web Services > Common HTTP Features. Screenshot below.

install webdav

To make IIS set up easier I’ve also used “testapi” local domain, and therefore needed to add following line to Windows hosts file:

hosts file

405 method not allowed

Now you can make GET, POST, PUT, and DELETE requests to your test API using your favourite REST testing app. I used Postman. And you should get following results.

  • GET – 200 “get”
  • POST – 201
  • PUT/DELETE – “405 method not allowed” (screenshot below)

405 method not allowed

Congratulations! We’ve just replicated the problem. Now, let’s focus on the fix.

So what is WebDAV?

Per iis.net documentation:

WebDAV is an Internet-based open standard that enables editing Web sites over HTTP and HTTPS connections.

In other words, WebDAV, if configured correctly, allows you to publish content to remote websites, therefore has a tightened security about PUT and DELETE methods to prevent accidental (or intentional:)) content modification. On one hand, it should be possible to configure WebDAV to work nicely with RESTful APIs and allow PUT and DELETE requests, however the less components and modules you have in your system, the less potential security holes you get. For example, MHTML 0-Day Vulnerability Won’t be Patched Tomorrow.

Deleting WebDAV

If you don’t need to use WebDAV, then the easiest and the best way to fix “405 method not allowed” issue is to remove WebDAV from your system. You can easily get this done in “Turn Windows Features On or Off” simply un-ticking the checkbox.

remove webdav

Once WebDAV is deleted, we can make PUT and DELETE calls to our test API successfully, and now the results are:

  • GET – 200 “get”
  • POST – 201
  • PUT – 200 “put”
  • DELETE – 204

successful delete call

All set!

Tips and Tricks

In Windows Server OS there are two different menu items for adding and removing features in Server Manager. Screenshot below.

add remove features windows server

Conclusions

In this blog post we covered setting up a sample RESTful API, installing WebDAV, replicating the “405 method not allowed” issue, and fixed it by removing WebDAV.

WebDAV can cause IIS to block PUT and DELETE calls to an application, and if you don’t use WebDAV, the best solution is to remove WebDAV from your IIS.