HTTP Methods Validation

GET /users - Allowed method

Sample Request

curl -X GET -H "X-API-Key: valid-key" http://localhost:8080/users

Expected Response

HTTP/1.1 200 OK

GET requests to /users are allowed as defined in the OpenAPI spec.

POST /users - Create resource

Sample Request

curl -X POST -H "X-API-Key: valid-key" \
  -H "Content-Type: application/json" \
  -d '{"name": "John", "email": "john@example.com"}' \
  http://localhost:8080/users

POST is allowed on /users for creating new resources.

DELETE /users - Method not allowed

Sample Request

curl -X DELETE -H "X-API-Key: valid-key" http://localhost:8080/users

Expected Response

HTTP/1.1 405 Method Not Allowed
Allow: GET, POST
Content-Type: application/json

{"error": "Method not allowed", "allowed": ["GET", "POST"]}

DELETE requests are blocked if not explicitly defined for this endpoint. This prevents mass deletion attacks.

DELETE /users/{id} - Allowed on specific resource

Sample Request

curl -X DELETE -H "X-API-Key: valid-key" http://localhost:8080/users/550e8400-e29b-41d4-a716-446655440000

DELETE is allowed on /users/{id} for deleting specific resources, as defined in the OpenAPI spec.

PATCH /users - Method not defined

Sample Request

curl -X PATCH -H "X-API-Key: valid-key" -d '{"name": "New"}' http://localhost:8080/users

PATCH is not defined in the OpenAPI spec for /users, so it is rejected.

TRACE /users - Dangerous method blocked

Sample Request

curl -X TRACE http://localhost:8080/users

TRACE and other potentially dangerous methods are blocked by default to prevent XST (Cross-Site Tracing) attacks.