diff --git a/src/content/changelog/web-analytics/2026-05-13-rum-405-method-not-allowed.mdx b/src/content/changelog/web-analytics/2026-05-13-rum-405-method-not-allowed.mdx new file mode 100644 index 000000000000000..1baba592e701ec3 --- /dev/null +++ b/src/content/changelog/web-analytics/2026-05-13-rum-405-method-not-allowed.mdx @@ -0,0 +1,15 @@ +--- +title: "/cdn-cgi/rum endpoint now returns 405 for non-POST requests" +description: The /cdn-cgi/rum beacon endpoint now returns 405 Method Not Allowed instead of 404 when called with an unsupported HTTP method. +date: 2026-05-13 +products: + - web-analytics +--- + +The `/cdn-cgi/rum` beacon endpoint now returns `405 Method Not Allowed` for non-POST requests instead of `404 Not Found`. The response includes an `Allow: POST, OPTIONS` header per [RFC 9110 ยง15.5.6](https://www.rfc-editor.org/rfc/rfc9110#section-15.5.6). + +Previously, sending a `GET` or other non-POST request to this endpoint returned a `404`, which was misleading because it suggested the endpoint did not exist. The new `405` response clearly indicates that the endpoint exists but only accepts `POST` requests. + +The Web Analytics beacon (`beacon.min.js`) already uses `POST` for all metric submissions, so this change does not affect normal beacon operation. `OPTIONS` requests for CORS preflight continue to work as before. + +For more information, refer to the [Web Analytics FAQ](/web-analytics/faq/#why-am-i-getting-a-405-method-not-allowed-error-from-cdn-cgirum). diff --git a/src/content/docs/web-analytics/faq.mdx b/src/content/docs/web-analytics/faq.mdx index 8da3c9c82f4c0db..3b7a4c8db751c24 100644 --- a/src/content/docs/web-analytics/faq.mdx +++ b/src/content/docs/web-analytics/faq.mdx @@ -52,6 +52,16 @@ Since only one JS snippet can be rendered and used per page, you cannot have mul If you have a `Cache-Control` header set to `public, no-transform`, Cloudflare proxy will not be able to modify the original payload of the website. Therefore, the Beacon script will not be automatically injected to your site, and Web Analytics will not work. Refer to [Origin cache control](/cache/concepts/cache-control/) for more information. +### Why am I getting a `405 Method Not Allowed` error from `/cdn-cgi/rum`? + +The `/cdn-cgi/rum` endpoint only accepts `POST` requests for data ingestion. If you send a request using any other HTTP method (for example, `GET`, `PUT`, or `DELETE`), the endpoint returns a `405 Method Not Allowed` response with an `Allow: POST, OPTIONS` header (`OPTIONS` is allowed for [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS) support). + +The Web Analytics beacon (`beacon.min.js`) always uses `POST` when reporting metrics. If you see `405` errors in your logs, the requests are not coming from the beacon itself. + +They are most likely coming from an automated testing tool making erroneous requests, in which case you should correct it to use `POST` or ignore the errors. + +We do not support custom integrations directly with the endpoint: all requests should originate from our beacon JavaScript. + --- ## Setup