The 405 Method Not Allowed message indicates that the method type used to perform the request was not allowed for the requested resource.
There are multiple request methods available to clients when sending HTTP requests, some of the most well known being POST and GET; but there are also other request types available, such as OPTIONS, PUT, and DELETE.
If a given resource is not using the POST request, then it probably should not support that request type; but, clients might still send a POST request to a resource that only implements the GET method, and if the website is using software that is either flawed or configured incorrectly, it might still respond to such requests with a 200 Ok message.
When a server sends the 405 error response, the response headers should also include an Allow header field, used to inform the client about the supported methods for the requested resource.
A 405 Method Not Allowed response looks like this:
HTTP/1.1 405 Method Not Allowed Content-Type: text/html Allow: GET, HEAD <h1>405 Method Not Allowed</h1>
To send a 405 response from PHP we can use the http_response_code function:
http_response_code(405); header('Allow: GET, HEAD'); echo '<h1>405 Method Not Allowed</h1>'; exit();
405 Method Not Allowed and authentication
The 405 Method Not Allowed error may be used to help clients understand what request methods are allowed for a given resource.
In some cases, if a given method requires authentication before a user can use it, a 403 Forbidden status may be more appropriate. Note that the 403 status is best suited for HTML form based logins; a 401 Unauthorized message may be used where traditional HTTP authentication is used.
The allow header should only be delivered together with the 405 status, and not with any of the above.