Enable PUT and DELETE Http verbs for WebAPI with Cors on IIS 8.5

WebAPI in .Net by default allows only the GET, POST, OPTIONS and HEAD verbs. To allow PUT and DELETE, you need to remove the WebDAV handler and module from the request pipeline by making the following changes to the Web.Config.

The WebDAV element contains the settings that configure Web Distributed Authoring and Versioning (WebDAV) for Internet Information Services (IIS) 7 or above. WebDAV is an Internet-based open standard that enables editing Web sites over HTTP and HTTPS connections. You may get a 405 error code due to WebDAV.

<system.webServer>
    <handlers>
      <remove name="WebDAV" />
      <remove name="ExtensionlessUrlHandler-Integrated-4.0" />
      <remove name="OPTIONSVerbHandler" />
      <remove name="TRACEVerbHandler" />
      <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
    </handlers>
    <validation validateIntegratedModeConfiguration="false" />
    <modules>
      <remove name="WebDAVModule" />
    </modules>
    <httpProtocol>
      <customHeaders>
        <add name="Access-Control-Allow-Origin" value="http://somedomain" />
        <add name="Access-Control-Expose-Headers" value="Content-Type, Accept, expiry, uid, access-token, token-type" />
        <add name="Access-Control-Allow-Methods" value="POST,GET,OPTIONS,PUT,DELETE" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>

Also, the ExtensionlessUrlHandler-Integrated-4.0 handler needs to allow all verbs with a * or a manual entry for specific verbs. The minimum runtime requirement is 4.0 to make this work.

The last bit to check for a message that says e.g. PUT /Rejected-By-UrlScan . Check the logs under C:\Windows\System32\inetsrv\urlscan\Logs on the Server. You may need to edit the config file to allow those verbs or remove the UrlScan 3.1 service in the ISAPI tab of your Service in IIS which points to urlscan.dll. This is usually mentioned last in the list.

CustomHeaders are part of enabling Cors. Please note that Access-Control-Allow-Origin should not allow “*” . It should mentions specific domain that requires to be allowed for Cors. You can expose custom headers using Access-Control-Expose-Headers and allow specific methods using Access-Control-Allow-Methods.

Show some love for the pit in my PayPal account.

6 thoughts on “Enable PUT and DELETE Http verbs for WebAPI with Cors on IIS 8.5”

Sachin Babar says:

April 30, 2019 at 7:46 pm

Thank you. it helped lot me to solve my problem with put request.

LikeLike

1. Pulkit Gulati says:
  
  August 28, 2019 at 10:20 am
  
  Thank you so much.
  
  LikeLike
  
hani khurma says:

November 12, 2020 at 6:00 pm

thnx a lot bro

LikeLike

Charles Opuoro says:

December 25, 2020 at 4:10 pm

Thanks so much for this article.

It saved me time and helped resolve the issue I had been having.
The issue being getting a 405 Method NOT Allowed response from the IIS server.

More so, it gave me a concise understanding as to why .

Thanks again.

Kind regards.

LikeLike

Taha Hussain says:

July 31, 2021 at 11:27 am

Whooopppss it took almost 10 hours to figure out what is exactly happening, it helped me a lot.
Thankssss.

LikeLike

alavri says:

January 24, 2022 at 2:55 am

Thank you very much for posting this. That fixed the issue for me. Much appreciated!

LikeLike