5

I found out that there are servers that respond with HTTP 405 to HEAD requests (or another status code including 404 which is confusing IMO, but that's not important now) even though GET requests are responded with HTTP 200. HTTP 405 is defined as...

405 Method Not Allowed

The method specified in the Request-Line is not allowed for the resource identified by the Request-URI. The response MUST include an Allow header containing a list of valid methods for the requested resource.

Alright, I looked at the Allow header and found out that I can use GET to get the resource (even though I only wanted to find out whether the resource exists). Problem solved.

However, my question is... Why would a server disallow the HEAD method? What is the advantage? Are there possible security reasons?

geckon
  • 8,316
  • 4
  • 35
  • 59
  • 1
    You wont get a definitive answer I think, one possibility is an attempt to harden the application from attack, if this is worthwhile is subjective - see http://security.stackexchange.com/questions/111616/http-head-and-its-security-versus-operational-uses – Alex K. Feb 17 '16 at 12:37
  • 1
    Stupidity would be the only reason I'm aware of... – Julian Reschke Feb 17 '16 at 14:08
  • 2
    I voted to close this question because it is not a programming question. Rather, it is about disallowed HTTP methods. In the future, I would suggest asking questions about this topic on [sf] or [security.se]. – Stephen Ostermiller Mar 09 '22 at 16:42

1 Answers1

5

I think it is because they're getting a log full of "the requested resource can only be accessed via SSL" errors when their HTTPS-only site gets tons of HEAD requests via HTTP. I think they're conflating "method" with "protocol" and so thinking the 405 makes sense.

See this post for an example of someone asking about the issue and being told to give a 405.

Nico Schlömer
  • 53,797
  • 27
  • 201
  • 249
Jason
  • 591
  • 2
  • 10
  • 23