From aa0347a351be0e9be5cb4bc17c2e170df87595ec Mon Sep 17 00:00:00 2001 From: jburns Date: Wed, 13 May 2026 12:00:21 -0400 Subject: [PATCH 1/3] Add 405 FAQ and changelog for /cdn-cgi/rum --- .../2026-05-13-rum-405-method-not-allowed.mdx | 15 +++++++++++++++ src/content/docs/web-analytics/faq.mdx | 8 ++++++++ 2 files changed, 23 insertions(+) create mode 100644 src/content/changelog/web-analytics/2026-05-13-rum-405-method-not-allowed.mdx diff --git a/src/content/changelog/web-analytics/2026-05-13-rum-405-method-not-allowed.mdx b/src/content/changelog/web-analytics/2026-05-13-rum-405-method-not-allowed.mdx new file mode 100644 index 000000000000000..1baba592e701ec3 --- /dev/null +++ b/src/content/changelog/web-analytics/2026-05-13-rum-405-method-not-allowed.mdx @@ -0,0 +1,15 @@ +--- +title: "/cdn-cgi/rum endpoint now returns 405 for non-POST requests" +description: The /cdn-cgi/rum beacon endpoint now returns 405 Method Not Allowed instead of 404 when called with an unsupported HTTP method. +date: 2026-05-13 +products: + - web-analytics +--- + +The `/cdn-cgi/rum` beacon endpoint now returns `405 Method Not Allowed` for non-POST requests instead of `404 Not Found`. The response includes an `Allow: POST, OPTIONS` header per [RFC 9110 ยง15.5.6](https://www.rfc-editor.org/rfc/rfc9110#section-15.5.6). + +Previously, sending a `GET` or other non-POST request to this endpoint returned a `404`, which was misleading because it suggested the endpoint did not exist. The new `405` response clearly indicates that the endpoint exists but only accepts `POST` requests. + +The Web Analytics beacon (`beacon.min.js`) already uses `POST` for all metric submissions, so this change does not affect normal beacon operation. `OPTIONS` requests for CORS preflight continue to work as before. + +For more information, refer to the [Web Analytics FAQ](/web-analytics/faq/#why-am-i-getting-a-405-method-not-allowed-error-from-cdn-cgirum). diff --git a/src/content/docs/web-analytics/faq.mdx b/src/content/docs/web-analytics/faq.mdx index 8da3c9c82f4c0db..a4a61dfa68dbc76 100644 --- a/src/content/docs/web-analytics/faq.mdx +++ b/src/content/docs/web-analytics/faq.mdx @@ -52,6 +52,14 @@ Since only one JS snippet can be rendered and used per page, you cannot have mul If you have a `Cache-Control` header set to `public, no-transform`, Cloudflare proxy will not be able to modify the original payload of the website. Therefore, the Beacon script will not be automatically injected to your site, and Web Analytics will not work. Refer to [Origin cache control](/cache/concepts/cache-control/) for more information. +### Why am I getting a `405 Method Not Allowed` error from `/cdn-cgi/rum`? + +The `/cdn-cgi/rum` endpoint only accepts `POST` requests for data ingestion. If you send a request using any other HTTP method (for example, `GET`, `PUT`, or `DELETE`), the endpoint returns a `405 Method Not Allowed` response with an `Allow: POST, OPTIONS` header. + +The Web Analytics beacon (`beacon.min.js`) always uses `POST` when reporting metrics. If you see `405` errors in your logs, the requests are not coming from the beacon itself. + +No action is required unless you are making custom requests to this endpoint. If you are, ensure your implementation uses the `POST` method. `OPTIONS` requests (CORS preflight) are also supported and will continue to work normally. + --- ## Setup From 4a2098f67bd5f7c071dbb5f3ece673d8e2c5ce53 Mon Sep 17 00:00:00 2001 From: Joseph Burns <44384747+MildMax@users.noreply.github.com> Date: Wed, 13 May 2026 12:41:50 -0400 Subject: [PATCH 2/3] Update src/content/docs/web-analytics/faq.mdx Co-authored-by: Ryan Townsend --- src/content/docs/web-analytics/faq.mdx | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/content/docs/web-analytics/faq.mdx b/src/content/docs/web-analytics/faq.mdx index a4a61dfa68dbc76..e4b734420fb7c0e 100644 --- a/src/content/docs/web-analytics/faq.mdx +++ b/src/content/docs/web-analytics/faq.mdx @@ -58,7 +58,9 @@ The `/cdn-cgi/rum` endpoint only accepts `POST` requests for data ingestion. If The Web Analytics beacon (`beacon.min.js`) always uses `POST` when reporting metrics. If you see `405` errors in your logs, the requests are not coming from the beacon itself. -No action is required unless you are making custom requests to this endpoint. If you are, ensure your implementation uses the `POST` method. `OPTIONS` requests (CORS preflight) are also supported and will continue to work normally. +They are most likely coming from an automated testing tool making erroneous requests, in which case you should correct it to use `POST` or ignore the errors. + +We do not support custom integrations directly with the endpoint: all requests should originate from our beacon JavaScript. --- From 8bceab435c644fcd27532306bf4183de08df7680 Mon Sep 17 00:00:00 2001 From: Joseph Burns <44384747+MildMax@users.noreply.github.com> Date: Mon, 18 May 2026 10:27:15 -0400 Subject: [PATCH 3/3] Apply suggestion from @ryantownsend Co-authored-by: Ryan Townsend --- src/content/docs/web-analytics/faq.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/web-analytics/faq.mdx b/src/content/docs/web-analytics/faq.mdx index e4b734420fb7c0e..3b7a4c8db751c24 100644 --- a/src/content/docs/web-analytics/faq.mdx +++ b/src/content/docs/web-analytics/faq.mdx @@ -54,7 +54,7 @@ If you have a `Cache-Control` header set to `public, no-transform`, Cloudflare p ### Why am I getting a `405 Method Not Allowed` error from `/cdn-cgi/rum`? -The `/cdn-cgi/rum` endpoint only accepts `POST` requests for data ingestion. If you send a request using any other HTTP method (for example, `GET`, `PUT`, or `DELETE`), the endpoint returns a `405 Method Not Allowed` response with an `Allow: POST, OPTIONS` header. +The `/cdn-cgi/rum` endpoint only accepts `POST` requests for data ingestion. If you send a request using any other HTTP method (for example, `GET`, `PUT`, or `DELETE`), the endpoint returns a `405 Method Not Allowed` response with an `Allow: POST, OPTIONS` header (`OPTIONS` is allowed for [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS) support). The Web Analytics beacon (`beacon.min.js`) always uses `POST` when reporting metrics. If you see `405` errors in your logs, the requests are not coming from the beacon itself.