Search code examples
iisasp.net-web-apicorshttp-method

Why am I getting a 405 response to a DELETE request even though I allow that method in my CORS config?


I have a Blazor WebAssembly and C# web API hosted on IIS and When trying to send a PUT or DELETE request to my API I get this cors error:

Cors error

While i have this in My Program.cs:

policies

usecors

This is the response headers I get back on IIS:

Allowed headers

This is not right.

because on my localhost when sending PUT or DELETE I get this back, response localhost:

Allowed headers localhost as expected hosted

localhost works as expected but not IIS.

Why is that?

UPDATE:

there was nothing wrong with my setup as seen above. In my IIS I have to disable WebDav by adding this in my web.config:

        <modules>
            <remove name="WebDAVModule"/>
        </modules>

And make sure you don't autogenerate your web.config.


Solution

  • Don't conflate

    • the methods supported by your resource
    • the methods allowed by your resource for CORS.

    They're two different things, although the latter typically form a subset of the former. Sure, your CORS configuration allows the DELETE method:

    Access-Control-Allow-Methods: GET,PUT,POST,DELETE,PATCH,OPTIONS
    

    But allowing a method in your CORS configuration doesn't automatically make the resource support that method! Note the absence of DELETE from the Allow header, which lists the set of methods supported by the resource:

    Allow: GET, HEAD, OPTIONS, TRACE
    

    The absence of DELETE from this list indicates that your resource currently doesn't support that method. The response status (405 Method Not Allowed) is another clue.

    You need to fix that in your routes or whatever.