Closed apburnes closed 1 year ago
This is a good move. You're too quick, @apburnes 😀
Is the 405
a specific requirement? The limit_except
directive can do this pretty tidily but I think it returns a 403
.
@svenaas 405
is Method Not Allowed
while a 403
is Forbidden
where returning the status could be interpreted as insufficient rights to a resource. I went with 405
to return the more semantic status.
I agree that's better. It's a little weird that limit_except
doesn't seem to provide a way to specify the response code for a particular use. That reduces the utility of the directive.
To improve security posture, only allow
GET
andHEAD
request methods in the proxy.Acceptance Criteria
405
status code if any other method is requested