Allow
Response header Routing

Overview

Allow is a response header listing the HTTP methods a specific resource supports. It lets clients learn which operations (GET, POST, DELETE, etc.) they may perform on that resource.

The value is a comma-separated list of supported methods.

Details

Its most important use is on a 405 Method Not Allowed response. The spec requires 405 responses to include an Allow header so the client learns which methods the resource actually permits. For example, sending DELETE to a read-only resource yields 405 + Allow: GET, HEAD, OPTIONS.

OPTIONS responses also carry Allow so clients can query supported methods up front. An empty value (Allow:) means the resource supports no methods at all.

Allow reflects same-origin method support, whereas CORS's Access-Control-Allow-Methods states which methods are permitted in a cross-origin preflight. The names look alike but serve different purposes and contexts.

Syntax

Allow: <method>[, <method>]*

e.g. Allow: GET, HEAD, POST, OPTIONS

Notes

Related headers

Related status codes

Specification