Aarunya AppsAarunya Apps
405
Method Not Allowed
Client Error

HTTP 405 Method Not Allowed — Allow Header & Fix Guide

The HTTP method used in the request is not supported for the target resource. The response must include an Allow header listing the supported methods.

When to Return 405

Return 405 when a client uses an unsupported method on a valid resource (e.g., DELETE on a read-only resource, POST on a resource that only supports GET). Always include the Allow header.

Common Causes

  • Calling DELETE on a read-only API endpoint
  • Using POST when only GET is allowed
  • PUT to an endpoint that only accepts PATCH
  • Submitting a form to an endpoint that only accepts GET

HTTP Response Example

HTTP/1.1 405 Method Not Allowed
Allow: GET, POST
Content-Type: application/json

{"error": "Method Not Allowed"}

Code Examples

Express.js
app.route('/users')
  .get(listUsers)
  .post(createUser)

// Express auto-sends 405 for unsupported methods on defined routes.
// To add Allow header manually:
app.delete('/users', (req, res) => {
  res
    .set('Allow', 'GET, POST')
    .status(405)
    .json({ error: 'Method Not Allowed' })
})
Next.js App Router
// app/api/users/route.ts — only export the methods you support
// Next.js automatically returns 405 with Allow header for other methods

export async function GET() { /* ... */ }
export async function POST() { /* ... */ }
// DELETE, PUT, PATCH → 405 Method Not Allowed (automatic)

Related Status Codes

All HTTP status codes

Browse the complete HTTP status code reference.

All Status Codes

Frequently Asked Questions

What does HTTP 405 Method Not Allowed mean?

The HTTP method used in the request is not supported for the target resource. The response must include an Allow header listing the supported methods.

When should an API return 405?

Return 405 when a client uses an unsupported method on a valid resource (e.g., DELETE on a read-only resource, POST on a resource that only supports GET). Always include the Allow header.

What causes an HTTP 405 error?

Common causes: Calling DELETE on a read-only API endpoint; Using POST when only GET is allowed; PUT to an endpoint that only accepts PATCH; Submitting a form to an endpoint that only accepts GET.