How to Use the HTTP Method Checker

When managing web servers or APIs, it’s crucial to ensure that only the necessary HTTP methods are enabled for each endpoint. Allowing dangerous methods like PUT, DELETE, or TRACE without proper access controls can lead to significant security vulnerabilities. This is where the http-method-checker comes in—a lightweight and effective tool designed for IT professionals to audit which HTTP methods are permitted by a given server.

Whether you’re conducting a security review, preparing for compliance audits, or just hardening your infrastructure, http-method-checker helps you quickly identify misconfigured web servers that might expose sensitive operations via unsafe HTTP methods.

What is http-method-checker?

The http-method-checker is a free online tool that sends requests using various HTTP methods—such as GET, POST, PUT, DELETE, OPTIONS, and others—to a target URL and returns a report indicating which methods are accepted by the server.

Under the hood, the tool systematically sends each method and analyzes the response code (typically looking for 200, 403, or 405 responses) to determine availability. This saves time compared to scripting these checks manually and minimizes human error in security testing scenarios.

Common Use Cases

• Web Server Hardening: Ensure that only required HTTP methods are enabled (e.g., disallowing PUT or TRACE).
• API Testing: Verify what methods an API endpoint supports without sifting through outdated documentation.
• Security Audits: Identify attack vectors caused by unintentionally exposed functionality.
• Compliance Checks: Validate that your infrastructure meets security standards (e.g., PCI-DSS requires disabling TRACE).

Step-by-Step Example

Let’s walk through how to use the http-method-checker for a sample web service hosted at https://example.com/api.

1. Go to the HTTP Method Checker tool.

2. Enter the target URL, such as https://example.com/api.

3. Click the Check Methods button.

4. Review the results table. It will list all common HTTP methods and show one of the following statuses for each:

   • ✔ Allowed: Server responded with a success code (200/204)
   • ✖ Not Allowed: Server responded with 405 Method Not Allowed or similar
   • ⚠ Uncertain: Server returned a redirect or ambiguous status

Example output:

GET        ✔ Allowed
POST       ✔ Allowed
PUT        ✖ Not Allowed
DELETE     ✖ Not Allowed
OPTIONS    ✔ Allowed
TRACE      ✖ Not Allowed

Pro Tips

• You can test internal IPs or staging environments via a local proxy or VPN, depending on accessibility.
• Look beyond just the status codes—some HTTP methods may respond with code 200 but still not take action (common with misconfigured reverse proxies).
• This tool complements other security scanning tools like OWASP ZAP or Nikto, especially for method enumeration.

Ready to try it on your own servers? Head over to the HTTP Method Checker tool and start testing today.