Restricting allowable verbs
We need to restrict allowable verbs. For example if a web service endpoint is only for read purpose and not for modification, then on the URL, /api/post/3, we should only allow GET method/verb but shouldn't allow PATCH. PUT, DELETE, or POST. If someone hits /api/post/3 with PATCH, PUT, DELETE, or POST, it shouldn't serve it, instead it should return an "405 Method Not Allowed" error.
However, if their client has an access token and based on that, the user is only allowed to use the GET method (although there are other methods available) and not other methods, and the client with that user hits the same URL with other methods, then there should be an "403 Forbidden" error, because there are methods allowed but just ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access