Enable PUT and DELETE Http verbs for WebAPI with Cors on IIS 8.5

WebAPI in .Net by default allows only the GET, POST, OPTIONS and HEAD verbs. To allow PUT and DELETE, you need to remove the WebDAV handler and module from the request pipeline by making the following changes to the Web.Config.

The WebDAV element contains the settings that configure Web Distributed Authoring and Versioning (WebDAV) for Internet Information Services (IIS) 7 or above. WebDAV is an Internet-based open standard that enables editing Web sites over HTTP and HTTPS connections. You may get a 405 error code due to WebDAV.

      <remove name="WebDAV" />
      <remove name="ExtensionlessUrlHandler-Integrated-4.0" />
      <remove name="OPTIONSVerbHandler" />
      <remove name="TRACEVerbHandler" />
      <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
    <validation validateIntegratedModeConfiguration="false" />
      <remove name="WebDAVModule" />
        <add name="Access-Control-Allow-Origin" value="http://somedomain" />
        <add name="Access-Control-Expose-Headers" value="Content-Type, Accept, expiry, uid, access-token, token-type" />
        <add name="Access-Control-Allow-Methods" value="POST,GET,OPTIONS,PUT,DELETE" />

Also, the ExtensionlessUrlHandler-Integrated-4.0 handler needs to allow all verbs with a * or a manual entry for specific verbs. The minimum runtime requirement is 4.0 to make this work.

The last bit to check for a message that says e.g. PUT /Rejected-By-UrlScan . Check the logs under C:\Windows\System32\inetsrv\urlscan\Logs on the Server. You may need to edit the config file to allow those verbs or remove the UrlScan 3.1 service in the ISAPI tab of your Service in IIS which points to urlscan.dll. This is usually mentioned last in the list.

CustomHeaders are part of enabling Cors. Please note that Access-Control-Allow-Origin should not allow “*” . It should mentions specific domain that requires to be allowed for Cors. You can expose custom headers using Access-Control-Expose-Headers and allow specific methods using Access-Control-Allow-Methods.

Show some love for the pit in my PayPal account.


6 thoughts on “Enable PUT and DELETE Http verbs for WebAPI with Cors on IIS 8.5

  1. Thanks so much for this article.

    It saved me time and helped resolve the issue I had been having.
    The issue being getting a 405 Method NOT Allowed response from the IIS server.

    More so, it gave me a concise understanding as to why .

    Thanks again.

    Kind regards.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.