Skip to content

Return 405 Method Not Allowed for non-GET HTTP requests #1684

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
majiayu000 wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Return 405 Method Not Allowed for non-GET HTTP requests #1684

majiayu000 wants to merge 2 commits into from
+105 −5

Conversation

@majiayu000
Copy link

@majiayu000 majiayu000 commented Dec 11, 2025

Summary

  • Return HTTP 405 Method Not Allowed for non-GET requests (HEAD, POST, etc.) instead of raising an exception
  • This reduces log noise from bots and crawlers hitting WebSocket endpoints

Changes

  • Added InvalidMethod exception to websockets.exceptions
  • Modified Request.parse() in http11.py to raise InvalidMethod instead of ValueError for unsupported methods
  • Updated ServerProtocol.parse() in server.py to catch InvalidMethod and return a proper 405 response with Allow: GET header
  • Updated tests to verify the new behavior

Test plan

  • Added tests for HEAD and POST requests returning 405
  • Updated existing tests to expect InvalidMethod instead of ValueError
  • All tests pass

Fixes #1677

@majiayu000
Return 405 Method Not Allowed for non-GET HTTP requests
af60bd4 
Instead of raising an exception when receiving HEAD, POST, or other
non-GET HTTP methods, the server now properly returns a 405 Method
Not Allowed response with an Allow: GET header.

This change:
- Adds InvalidMethod exception for unsupported HTTP methods
- Modifies Request.parse() to raise InvalidMethod instead of ValueError
- Handles InvalidMethod in ServerProtocol.parse() to return 405 response
- Updates tests accordingly

Fixes python-websockets#1677
aaugustin
aaugustin requested changes Jan 3, 2026
View reviewed changes
Copy link
Member

@aaugustin aaugustin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See last comment for why I stopped reviewing.

src/websockets/exceptions.py Outdated
* :exc:`ProxyError`
* :exc:`InvalidProxyMessage`
* :exc:`InvalidProxyStatus`
* :exc:`InvalidMethod`
Copy link
Member

@aaugustin aaugustin Jan 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be after InvalidMessage -- you can only tell which method is used after you're successfully parsed the message.

src/websockets/exceptions.py Outdated
"ProxyError",
"InvalidProxyMessage",
"InvalidProxyStatus",
"InvalidMethod",
Copy link
Member

@aaugustin aaugustin Jan 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same.

src/websockets/exceptions.py
def __str__(self) -> str:
return f"invalid HTTP method; expected GET; got {self.method}"


Copy link
Member

@aaugustin aaugustin Jan 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same.

src/websockets/server.py
self.parser = self.discard()
next(self.parser) # start coroutine
yield
return
Copy link
Member

@aaugustin aaugustin Jan 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here you're calling reject(), a high level function, from the parser, a low level component.

This doesn't make sense from a layering perspective. Can you explain why you're done that?

I suspect the honest answer is "you just threw AI at the issue and didn't bothing reviewing" :-(

I can throw AI at an issue myself, thank you. Stopping the review there until I hear back.

@majiayu000
Refactor InvalidMethod handling to follow project architecture
54d5205 
- Move InvalidMethod exception after InvalidMessage in hierarchy,
  docstrings, and __all__ (since method is known only after parsing)
- Build 405 response directly in parse() without calling reject()
  to maintain proper layering between low-level parser and high-level API
- Remove redundant discard() setup (send_response already handles it)
- Add InvalidMethod to Request.parse() docstring

Signed-off-by: majiayu000 <1835304752@qq.com>
@majiayu000
Copy link
Author

majiayu000 commented Jan 11, 2026

Thanks for the feedback. You're right about the layering issue - I've fixed it:

  1. Moved InvalidMethod after InvalidMessage in all three places
  2. Removed the call to reject() - now building the Response directly in parse()
  3. Removed redundant discard() setup since send_response() already handles it
  4. Updated the docstring in http11.py

I apologize for the initial oversight. The code has been updated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aaugustin aaugustin aaugustin requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

HEAD raises an exception

2 participants

@majiayu000 @aaugustin