npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2025 – Pkg Stats / Ryan Hefner

@dotcom-reliability-kit/middleware-allow-request-methods

v1.1.0

Published

Express middleware that returns 405 (rather than 404) for disallowed request methods

Downloads

1,293

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

hamza.samihhamza.samihrowanmanningrowanmanningthe-ftthe-ftseraph2000seraph2000robertboultonrobertboulton

Keywords

Readme

@dotcom-reliability-kit/middleware-allow-request-methods

Express middleware that returns 405 (rather than 404) for disallowed request methods. This module is part of FT.com Reliability Kit.

Usage

Install @dotcom-reliability-kit/middleware-allow-request-methods as a dependency:

npm install --save @dotcom-reliability-kit/middleware-allow-request-methods

Include in your code:

import { allowRequestMethods } from '@dotcom-reliability-kit/middleware-allow-request-methods';
// or
const { allowRequestMethods } = require('@dotcom-reliability-kit/middleware-allow-request-methods');

We recommend always using this middleware globally with app.use as a first middleware in your app. This is because, if a bad actor is making requests to your app to find attack vectors, you throw their request out as early as possible.

Route-specific blocking of methods is an additional layer of protection you can explore. It may be that your app does support POST requests for a form but the main view is GET only. You can filter out further junk requests on a per-route basis by using the app.route('...').all() method or use with a path.

Example usage:

const express = require('express');
const { allowRequestMethods } = require('@dotcom-reliability-kit/middleware-allow-request-methods');

const app = express();

// Allow only certain request methods for the entire app. If you're
// doing this, it must be above ALL routes you want it to apply to:
app.use(allowRequestMethods({ allowedMethods: ['GET', 'HEAD', 'POST'] }));

// Allow only certain request methods for a specific route, e.g. here
// we only allow `GET` and `HEAD` methods for the home page. Note that
// we have to use `all` for the allowed methods here THEN define the get
// request handler:
app
 .route('/')
 .all(allowRequestMethods({ allowedMethods: ['GET', 'HEAD'] }))
 .get((request, response) => {
  response.send('Homepage');
 });

// You can also allow methods for a subset of routes. Remember that this
// applies for all routes that START with the value. E.g. the following
// will also only allow POST requests on `/submit/example`:
app.use('/submit', allowRequestMethods({ allowedMethods: ['POST'] }));

app.post('/submit', (request, response) => {
 response.send('Form submitted');
});

app.listen(3000, () => console.log('Server running on port 3000'));

Configuration options

Config options can be passed into the allowRequestMethods function as an object with any of the keys below.

app.use(allowRequestMethods({
    // Config options go here
}));

options.allowedMethods

An array of HTTP methods that are allowed for the route. This must be an Array of Strings, with each string being an HTTP method. It's important that you do not include methods which are not supported by the route.

This option defaults to [].

Contributing

See the central contributing guide for Reliability Kit.

License

Licensed under the MIT license. Copyright © 2025, The Financial Times Ltd.