Allowed HTTP Methods
Overview
In API Connectivity Manager, you can apply policies to an API Gateway to further enhance their configuration to meet your requirements.
Policies added at the proxy level are applied to all routes within that proxy.
For an overview of the different policy types and available policies, refer to the consult the Learn about Policies topic.
About Allow HTTP Methods Policy
Use the Allowed HTTP Methods policy to specify which methods you want to allow, while automatically blocking all the others. As an example, you could allow only GET requests for static content.
Intended Audience
This guide is meant for Infrastructure Administrators.
Infrastructure Administrators ensure uniform governance across an organization’s infrastructure by setting policies at the infrastructure level, enabling teams to build APIs without interruption while adhering to the organization’s standards.
Before You Begin
To complete the steps in this guide, you need the following:
- API Connectivity Manager is installed, licensed, and running.
- You have one or more Environments with an API Gateway.
- You have published one or more API Gateways.
Policy Settings
| Field | Type | Possible Values | Description | Required | Default value | 
|---|---|---|---|---|---|
| allowedMethods | array | GET,PUT,POST,PATCH,DELETE,CONNECT,OPTIONS,TRACE | This array contains all of the possible HTTP methods. Methods listed in  Note:  | Yes | |
| returnCode | int | In range 400-599 | The status code to be returned if a method isn’t included in the allowedMethodsarray. | No | System assigned 405 | 
Applying the Policy
Follow these steps to restrict which HTTP methods clients can use to access your API. If the request’s HTTP method is not in the allowed methods list, a 405 Method Not Allowed response is returned by default, or you can specify a different error code.
Note:
By enabling theGETmethod, theHEADmethod is also enabled.
See Also:
You can use tools such as
curlor Postman to interact with the API Connectivity Manager REST API. The API URL follows the formathttps://<NMS_FQDN>/api/acm/<API_VERSION>and must include authentication information with each call. For more information about authentication options, please refer to the API Overview.
To create an Allowed HTTP Methods policy using the REST API, send an HTTP POST request to the Proxies endpoint.
| Method | Endpoint | 
|---|---|
| POST | /services/workspaces/{service-workspace}/proxies | 
JSON request
{
  "policies": {
    "allowed-http-methods": [
      {
        "action": {
          "allowedMethods": [
            "GET",
            "PUT",
            "POST",
            "PATCH",
            "DELETE",
            "CONNECT",
            "OPTIONS",
            "TRACE"
          ],
          "returnCode": 405
        }
      }
    ]
  }
}This JSON defines an Allowed HTTP Methods policy that specifies which HTTP methods are allowed. The listed methods (GET, PUT, POST, PATCH, DELETE, CONNECT, OPTIONS, TRACE) are all allowed, and any other methods will return a 405 Method Not Allowed response code.
To create an Allowed HTTP Methods policy using the web interface:
- 
In a web browser, go to the FQDN for your NGINX Instance Manager host and log in. Then, from the Launchpad menu, select API Connectivity Manager. 
- 
On the left menu, select Services. 
- 
Select a workspace in the list that contains the API Proxy you want to update. 
- 
On the workspace overview page, on the API Proxies tab, locate the API Proxy you want to update. Select the Actions menu (represented by an ellipsis, ...), then select Edit Proxy.
- 
On the left menu, select API Proxy > Advanced > Policies. 
- 
On the Advanced > Policies page, on the API Proxy tab, locate Allowed HTTP Methods. Select the Actions menu (represented by an ellipsis, ...), then select Add Policy.
- 
On the Allowed HTTP Methods form, complete the necessary fields: - Allow following HTTP Methods: Specify the HTTP methods you want to allow. Any methods that aren’t included will be blocked.
- Custom response code for non-matching requests: Specify the status code to return for blocked methods. The default is 405 Method Not Allowed.
 
- 
Select Add to apply the policy to the API proxy. 
- 
Select Save and Publish to deploy the configuration to the API Proxy.