HTTP Method Not Allowed

What It Means

This request used an HTTP method (verb) that is not currently authorized by the WAF.

Why It Matters

The WAF controls which HTTP methods are allowed to reach your application. Standard methods like GET, POST, and HEAD are always permitted. Other methods such as PUT, DELETE, PATCH, OPTIONS, and TRACE can be individually allowed or blocked. Restricting unused methods reduces your attack surface.

Common Triggers

Requests using HTTP methods that have not been enabled in your WAF configuration. This can happen when API clients use methods like PUT or DELETE that your WAF is configured to block, or when attackers use uncommon methods like TRACE or CONNECT to probe for vulnerabilities.

What To Do

If your application requires HTTP methods beyond GET, POST, and HEAD (common for REST APIs), enable the specific methods you need in your WAF dashboard. See How WAF Blocking Works for details on HTTP verb filtering. Do not enable methods your application does not actually use.