405-ALLOW
| Test ID | COMP-405-ALLOW |
| Category | Compliance |
| RFC | RFC 9110 §15.5.6 |
| Requirement | MUST |
| Expected | 405 with Allow header |
What it sends
A DELETE request to the root path, which most servers do not support. This is intended to trigger a 405 response.
DELETE / HTTP/1.1\r\n
Host: localhost:8080\r\n
\r\nWhat the RFC says
“The origin server MUST generate an Allow header field in a 405 response containing a list of the target resource’s currently supported methods.” – RFC 9110 Section 15.5.6
And:
“An origin server MUST generate an Allow header field in a 405 (Method Not Allowed) response and MAY do so in any other response.” – RFC 9110 Section 10.2.1
Why it matters
The Allow header in a 405 response tells clients which methods are actually supported. Without it, clients have no way to discover valid methods for the resource, forcing them to guess. Automated tools and API clients depend on this header for correct operation. If the server returns a status other than 405 (e.g., it accepts DELETE or returns 501), the test reports a warning since the Allow requirement cannot be verified.