Return 405, not 501, when an unsupported HTTP method is used #3286
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Currently, when the `supported_http_methods` DSL config option is not set to `:any`, the behaviour upon encountering an unexpected HTTP method is to return an `501 Not Implemented` response. Whilst this is technically correct, it can be somewhat problematic; in situations where 5xx error responses are used as a heuristic to determine whether or not an application is healthy, a single person sending a flood of requests with invalid HTTP methods can result in an application being considered 'unhealthy' because Puma returns a 501. It seems the somewhat more semantically correct response code to use in this scenario is `405 Method Not Allowed` – this is how Rails deals with HTTP methods it can't handle, for example. The HTTP spec requires that an `Allow` header is returned alongside it with details of which methods _are_ acceptable. To that end, this modifies the behaviour of Puma to return a 405 when supplied an unsupported HTTP method, rather than a 501, and return an `Allow` header with the valid methods.
|
Did you see #3284? |
|
I will reiterate my comment from that issue: #3284 (comment) I think we should go back to the way it was in Puma 5 and let the apps define this response cc @nateberkopec again because he is the decision maker here |
|
Ah – I didn't. Sorry folks; I'll close this! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Currently, when the
supported_http_methodsDSL config option is not set to:any, the behaviour upon encountering an unexpected HTTP method is to return an501 Not Implementedresponse.Whilst this is technically correct, it can be somewhat problematic; in situations where 5xx error responses are used as a heuristic to determine whether or not an application is healthy, a single person sending a flood of requests with invalid HTTP methods can result in an application being considered 'unhealthy' because Puma returns a 501.
It seems the somewhat more semantically correct response code to use in this scenario is
405 Method Not Allowed– this is how Rails deals with HTTP methods it can't handle, for example. The HTTP spec requires that anAllowheader is returned alongside it with details of which methods are acceptable.To that end, this modifies the behaviour of Puma to return a 405 when supplied an unsupported HTTP method, rather than a 501, and return an
Allowheader with the valid methods.Your checklist for this pull request
[ci skip]to the title of the PR.#issue" to the PR description or my commit messages.