405 method options not allowed in asp.net web api controller?

Question

I have this very common issue where it says method not allowed (OPTIONS) for a GET request. I am getting the following error whenever I make an API call. I have this setting in web.config:

<system.webServer>
  <modules>
    <remove name="WebDAVModule"/>
  </modules>
  <httpProtocol>
    <customHeaders>
      <add name="Access-Control-Allow-Origin" value="*"/>
      <add name="Access-Control-Allow-Headers" value="Origin, Authorization, X-Requested-With, Content-Type, Accept"/>
      <add name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS"/>
    </customHeaders>
  </httpProtocol>
  <handlers>
    <remove name="WebDAV"/>
    <remove name="ExtensionlessUrlHandler-Integrated-4.0"/>
    <remove name="OPTIONSVerbHandler"/>
    <remove name="TRACEVerbHandler"/>
    <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0"/>
  </handlers>
</system.webServer>

I tried using Asp.Net.WebApi.Cors and enforcing CORS globally using EnableCors() for all origin headers and methods and that did not work either.

What version of IIS are you using? – mason Apr 17 '17 at 20:48 — mason, Apr 17 '17 at 20:48
@mason: iis 10.0 express – user1505521 Apr 17 '17 at 21:11 — user1505521, Apr 17 '17 at 21:11

sideshowbarker · Accepted Answer · 2017-04-17T23:26:12.443

In your handlers after <remove name="OPTIONSVerbHandler"/>, add this:

<add name="OPTIONSVerbHandler" path="*" verb="OPTIONS"
  modules="IsapiModule" requireAccess="None"
  scriptProcessor="C:\Windows\System32\inetsrv\asp.dll"
  resourceType="Unspecified" />

See the answer at IIS hijacks CORS Preflight OPTIONS request.

Or maybe even just this:

 <add name="OPTIONSVerbHandler" path="*" verb="OPTIONS"
   modules="ProtocolSupportModule" requireAccess="None" />

If that doesn’t work, something that will is adding the following in your global.asax or other code:

protected void Application_BeginRequest(object sender,EventArgs e)
{
    HttpContext.Current.Response.AddHeader("Access-Control-Allow-Origin", "*");
    if(HttpContext.Current.Request.HttpMethod == "OPTIONS")
    {
        HttpContext.Current.Response.AddHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE");
        HttpContext.Current.Response.AddHeader("Access-Control-Allow-Headers", "Content-Type, Accept");
        HttpContext.Current.Response.AddHeader("Access-Control-Max-Age", "1728000" );
        HttpContext.Current.Response.End();
    }
}

Tried 1st and 2nd did not worked.. The third one worked but since we are not using Global.asax for pipelinng the api Configuration during startup... I did not use that method..So I found the same approach solution by defining a custom Mesagehandler that sends response OK whenever I get a preflight requests asynchronously.. Since the idea is the same I will give it an answer.. — user1505521, Apr 18 '17 at 13:53
Strange behavior ahead: I tried the global.asax version and it got my web.API working. Specifically i wanted to know what was allowing it work as that code is just duplicated whats in my web.config. One by one I removed each line until I had removed the whole `Application_BeginRequest()` method. And it still worked.... so back to idential config / code as i started with but working. — Morvael, Oct 09 '18 at 08:37

405 method options not allowed in asp.net web api controller?

1 Answers1

Linked