Skip to content
Advertisement

post request allowed although denied

I started ajax post request to a php file like this:

$.post("URL_TO_PHP_FIlE", {parameter: 1}, function(response) {
  console.log(response)
}    

And I get a response, but this should not be possible, because my php file only allows GET instead of POST:

header('Access-Control-Allow-Methods: GET');

Where is my fault?

Advertisement

Answer

The Access-Control-Allow-Methods header is used in the preflight response to give the client a hint at which methods are allowed. It does not automatically block any incoming requests of any other type – that’s something that you have to implement on your side, e.g. by returning a 405 Method Not Allowed status code.

if ( $_SERVER['REQUEST_METHOD'] !== 'GET' ) {
  http_response_code(405); exit;
}
User contributions licensed under: CC BY-SA
6 People found this is helpful
Advertisement