Recently I cam across an issue when making HTTP DELETE or PUT requests to API would result in “405 method not allowed” error. After a quick research it turned out to be WebDAV component’s doing in IIS. Let’s re-create this issue locally, and learn how to solve it.
Dummy RESTful API
First, let’s create a very simple Web API for testing. I used Visual Studio 2017 with .NET Core 1.1 and went for an empty WebApi project.
And slightly modified default the default controller to create a dummy RESTful API. Controller’s code below.
Please note I am using “WebApplication4” namespace after my test solution.
IIS set up
Then published the project and set up a new site on IIS.
Make sure you have WebDAV module installed at this point. If you don’t see WebDAV module in your IIS, you need to install it in “Turn Windows Features On or Off” under Internet Information Services > World Wide Web Services > Common HTTP Features. Screenshot below.
To make IIS set up easier I’ve also used “testapi” local domain, and therefore needed to add following line to Windows hosts file:
405 method not allowed
Now you can make GET, POST, PUT, and DELETE requests to your test API using your favourite REST testing app. I used Postman. And you should get following results.
- GET – 200 “get”
- POST – 201
- PUT/DELETE – “405 method not allowed” (screenshot below)
Congratulations! We’ve just replicated the problem. Now, let’s focus on the fix.
So what is WebDAV?
WebDAV is an Internet-based open standard that enables editing Web sites over HTTP and HTTPS connections.
In other words, WebDAV, if configured correctly, allows you to publish content to remote websites, therefore has a tightened security about PUT and DELETE methods to prevent accidental (or intentional:)) content modification. On one hand, it should be possible to configure WebDAV to work nicely with RESTful APIs and allow PUT and DELETE requests, however the less components and modules you have in your system, the less potential security holes you get. For example, MHTML 0-Day Vulnerability Won’t be Patched Tomorrow.
Deleting WebDAV
If you don’t need to use WebDAV, then the easiest and the best way to fix “405 method not allowed” issue is to remove WebDAV from your system. You can easily get this done in “Turn Windows Features On or Off” simply un-ticking the checkbox.
Once WebDAV is deleted, we can make PUT and DELETE calls to our test API successfully, and now the results are:
- GET – 200 “get”
- POST – 201
- PUT – 200 “put”
- DELETE – 204
All set!
Tips and Tricks
In Windows Server OS there are two different menu items for adding and removing features in Server Manager. Screenshot below.
Conclusions
In this blog post we covered setting up a sample RESTful API, installing WebDAV, replicating the “405 method not allowed” issue, and fixed it by removing WebDAV.
WebDAV can cause IIS to block PUT and DELETE calls to an application, and if you don’t use WebDAV, the best solution is to remove WebDAV from your IIS.