Free Tool
HTTP Methods Checker
Review public HTTP method exposure and identify server behavior that may need tightening on production websites.
Sign in with Google or GitHub to run the scan. Start with a free scan.
What this tool checks
This page uses ZeriFlow's deterministic website security engine and focuses the guidance on the configuration area above. For the full report, run a complete free security scan.
Key Checks
Legacy Methods
Highlights methods such as TRACE that are rarely needed on modern sites.
API Exposure
Explains when PUT, PATCH, and DELETE should be limited to authenticated API routes.
CORS Preflight
Reviews OPTIONS behavior in the context of CORS and public APIs.
Server Hardening
Provides baseline guidance for disabling methods that are not required.
Recommended Baseline
TRACE
Disable TRACE unless you have a specific, controlled need for it.
Write Methods
Restrict PUT, PATCH, and DELETE to authenticated routes with authorization checks.
OPTIONS
Keep OPTIONS only where required for APIs and avoid exposing extra details.
Default
Public websites usually need GET, HEAD, and POST for normal operation.
FAQ
Which HTTP methods are risky?
TRACE is rarely needed and should usually be disabled. PUT, DELETE, and PATCH should only be available on authenticated API routes that require them.
Should OPTIONS be disabled?
Not always. OPTIONS is often required for CORS preflight requests on APIs. The important part is ensuring it does not expose sensitive behavior.
Can HTTP methods reveal security issues?
They can reveal misconfigured servers, overly broad API exposure, or legacy features that should not be enabled on public routes.
Does this tool perform intrusive testing?
No. This page is for safe visibility and guidance using ZeriFlow's standard non-intrusive workflow.
Need the full security picture?
ZeriFlow combines deterministic website checks across headers, TLS, DNS, cookies, and email security with monitoring, reporting, and AI-powered developer workflows where implemented.