http - Why does my web server software disallow PUT and DELETE requests?

Question

I am trying to implement a REST protocol and have realized in trying to debug that my web server is disallowing the PUT request.

I have tested and confirmed this further by running:

curl -X PUT  http://www.mywebserver.com/testpage

Which for my web server gives back a 403 - Forbidden error.

The same happens for DELETE, where as for POST and GET everything is fine.

I am wondering if this is a common issue that those who use REST encounter and what the work-around might be?

Could I make a simple change to an .htaccess file? Or do I need to modify the protocol to set a hidden variable "_method" in the POST query string?

Answer 1

Often web servers will be configured to block anything except GET and POST since 99% of the time they're all that are needed and there have been problems in the past with applications assuming the requests were one of those two.

You don't say which server it is but, for example, you can tell Apache which methods to allow with the directive:

eg:

<Limit POST PUT DELETE>
  Require valid-user
</Limit>

It sounds like maybe some helpful sysadmin has used this to block non GET/POST

You could try an .htaccess with

<Limit GET POST PUT DELETE>
  Allow from all
</Limit>

(I'm not an expert at apache, this may not be exactly correct)