Michael Davey

OPTIONS 405 (Method Not Allowed)

Discussion created by Michael Davey on Oct 16, 2015

Dear Qualys,


Please can you enable the OPTIONS method on your server https://api.ssllabs.com/ so JavaScript can use CORS to do safe cross-site-scripting (XSS).


You can confirm that OPTIONS currently produces an 405 method not allowed message using the following command from any Linux machine:


curl \
-k \
--verbose \
--request OPTIONS \
https://api.ssllabs.com/api/v2/info \
--header 'Origin: http://localhost:3000' \
--header 'Access-Control-Request-Headers: Origin, Accept, Content-Type' \
--header 'Access-Control-Request-Method: GET'

As per the CORS specification, JavaScript AJAX requests are sent straight to the server, unless:

  • HTTP method is not simple, i.e. other than: GET, POST or HEAD
  • Content-Type is not simple, i.e. other than: application/x-www-form-urlencoded, multipart/form-data or text/plain
  • request has authentication headers

…among others. Check the full list of conditions here.

In any of these scenarios, the browser will first do a preflight request. This is simply a request using the OPTIONS HTTP verb. If the request succeedes, the browser will issue the actual request right afterwards. This preflight request is cached by the browser so the server is not bothered more than necessary.

For instance, on Apache, this can be achieved by changing the following "Header set Access-*" headers to "Header always set Access-*" and adding the following to Apache to return 200 success when receiving Options

# Always set these headers.  Change the values to whatever is appropriate for your server.

Header always set Access-Control-Allow-Origin "*"

Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"

Header always set Access-Control-Max-Age "1000"

Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"


# Added a rewrite to respond with a 200 SUCCESS on every OPTIONS request.  The headers above will be included in the response.

RewriteEngine On


RewriteRule ^(.*)$ $1 [R=200,L]