Express middleware that returns 405 (rather than 404) for disallowed request methods. This module is part of FT.com Reliability Kit.
Install @dotcom-reliability-kit/middleware-allow-request-methods as a dependency:
npm install --save @dotcom-reliability-kit/middleware-allow-request-methodsInclude in your code:
import { allowRequestMethods } from '@dotcom-reliability-kit/middleware-allow-request-methods';
// or
const { allowRequestMethods } = require('@dotcom-reliability-kit/middleware-allow-request-methods');We recommend always using this middleware globally with app.use as a first middleware in your app. This is because, if a bad actor is making requests to your app to find attack vectors, you throw their request out as early as possible.
Route-specific blocking of methods is an additional layer of protection you can explore. It may be that your app does support POST requests for a form but the main view is GET only. You can filter out further junk requests on a per-route basis by using the app.route('...').all() method or use with a path.
Example usage:
const express = require('express');
const { allowRequestMethods } = require('@dotcom-reliability-kit/middleware-allow-request-methods');
const app = express();
// Allow only certain request methods for the entire app. If you're
// doing this, it must be above ALL routes you want it to apply to:
app.use(allowRequestMethods({ allowedMethods: ['GET', 'HEAD', 'POST'] }));
// Allow only certain request methods for a specific route, e.g. here
// we only allow `GET` and `HEAD` methods for the home page. Note that
// we have to use `all` for the allowed methods here THEN define the get
// request handler:
app
.route('/')
.all(allowRequestMethods({ allowedMethods: ['GET', 'HEAD'] }))
.get((request, response) => {
response.send('Homepage');
});
// You can also allow methods for a subset of routes. Remember that this
// applies for all routes that START with the value. E.g. the following
// will also only allow POST requests on `/submit/example`:
app.use('/submit', allowRequestMethods({ allowedMethods: ['POST'] }));
app.post('/submit', (request, response) => {
response.send('Form submitted');
});
app.listen(3000, () => console.log('Server running on port 3000'));Config options can be passed into the allowRequestMethods function as an object with any of the keys below.
app.use(allowRequestMethods({
// Config options go here
}));An array of HTTP methods that are allowed for the route. This must be an Array of Strings, with each string being an HTTP method. It's important that you do not include methods which are not supported by the route.
This option defaults to [].
See the central contributing guide for Reliability Kit.
Licensed under the MIT license.
Copyright © 2025, The Financial Times Ltd.