This tutorial shows how to fix method not allowed on PUT and DELETE requests in ASP.NET Core.

After pushing code to the beta server, most of it was working fine. The front-end was being able to call GET, POST and OPTIONS requests normally. When trying to DELETE or PUT entries, however, the following error would show up on the browser’s console:

Method not allowed? CORS error? What?

Initially, I was misled by the CORS error. Having had problems with this in the past, I thoroughly checked my API code for any possible problem in the configuration that could lead to this error only after deployed. I found none.

Then, it dawned on me that the CORS error could be not because my API wasn’t sending the ‘Access-Control-Allow-Origin’ on its response, but because it wasn’t being sent on the HTTP 405 error seen above.


What happens is that, when published, .NET Core enables the WebDAVModule, which disables PUT and DELETE requests by default.

So, to solve the issue, I ended up disabling WebDAV in the whole application, by adding these lines to the auto-generated web.config:

  <modules runAllManagedModulesForAllRequests="false">
   <remove name="WebDAVModule" />

After restarting the API in IIS, TA-DA! Everything (or at least your PUT and DELETE requests) should be working normally.

I hope this will be helpful to someone that host ASP.NET website on Windows Server.