fix(nginx-openresty): reject unknown HTTP methods with 405

BennyFranciscus · BennyFranciscus · commit e7b5a19c6b89 · 2026-03-25T09:20:34.000Z
Add access_by_lua_block at server level to reject methods other than GET, HEAD, and POST with 405 Method Not Allowed. Requested by @joanhey in PR #99.
diff --git a/frameworks/nginx-openresty/nginx.conf b/frameworks/nginx-openresty/nginx.conf
@@ -35,6 +35,17 @@ http {
     server {
         listen 8080 reuseport;
 
+        # Reject unknown HTTP methods — only allow GET, HEAD, POST
+        access_by_lua_block {
+            local m = ngx.req.get_method()
+            if m ~= "GET" and m ~= "HEAD" and m ~= "POST" then
+                ngx.status = 405
+                ngx.header["Content-Type"] = "text/plain"
+                ngx.say("Method Not Allowed")
+                return ngx.exit(405)
+            end
+        }
+
         location /pipeline { content_by_lua_block { require("handler").pipeline() } }
         location /baseline11 { content_by_lua_block { require("handler").baseline11() } }
         location /baseline2 { content_by_lua_block { require("handler").baseline2() } }
