8 tests verify that only allowed HTTP methods are accepted per path.
HTTP methods are configured per path in the policy.yaml file:
# policy.yaml
paths:
- pattern: "/static/*"
methods: ["GET", "HEAD"] # Read-only for static files
- pattern: "/api/users"
methods: ["GET", "POST"] # List and create
- pattern: "/api/users/{id}"
methods: ["GET", "PUT", "DELETE"] # Read, update, delete
- pattern: "/health"
methods: ["GET"] # Health check onlycurl -X GET http://localhost:8080/static/style.cssHTTP/1.1 200 OK
Content-Type: text/css
/* CSS content... */GET requests to static files are allowed as defined in the policy. The request is forwarded to the backend.
curl -X POST -H "Content-Type: application/json" \
-d '{"name": "John", "email": "john@example.com"}' \
http://localhost:8080/api/usersPOST requests to /api/users are allowed for creating new users.
curl -X DELETE http://localhost:8080/static/style.cssHTTP/1.1 405 Method Not Allowed
Content-Type: application/json
Allow: GET, HEAD
{"error": "Method not allowed", "allowed": ["GET", "HEAD"]}DELETE requests to static files are blocked. The response includes the Allow header listing permitted methods.
curl -X PUT -d '{"name": "Updated"}' http://localhost:8080/api/usersHTTP/1.1 405 Method Not Allowed
Allow: GET, POST
{"error": "Method not allowed", "allowed": ["GET", "POST"]}PUT to the collection endpoint /api/users is blocked. PUT is only allowed on /api/users/{id} for updating specific resources.
curl -X TRACE http://localhost:8080/api/usersTRACE and other potentially dangerous methods are blocked by default to prevent XST (Cross-Site Tracing) attacks.