HTTP 405 vs 501 — Method Not Allowed vs Not Implemented Comparison
http 405 vs 501: 405 means this method isn't allowed on this resource, 501 means the server doesn't implement the method at all. With Allow header guidance.
Quick Cheat Sheet
| Aspect | 405 Method Not Allowed | 501 Not Implemented |
|---|---|---|
| Class | 4xx — Client Error | 5xx — Server Error |
| Scope | This method on this resource | This method on any resource |
| Required header | Allow: listing valid methods |
None (but helpful) |
| Cacheable? | Cacheable | Cacheable by default |
The Subtle but Important Difference
405 Method Not Allowed (RFC 9110 § 15.5.6) means the resource exists but doesn't accept this method. /users/123 accepts GET and PATCH, but you tried DELETE. The fix is for the client to use a different method on the same URL.
501 Not Implemented (RFC 9110 § 15.6.2) means the server doesn't recognize the method at all. The classic example is a server that has never heard of PROPFIND (a WebDAV method). It's not "you can't use this here" — it's "I don't know what that word means."
The Allow Header Requirement
Per RFC 9110, a 405 response MUST include an Allow header listing the supported methods for that resource:
HTTP/1.1 405 Method Not Allowed
Allow: GET, HEAD, PATCH
Many APIs forget this, and clients have no idea what to retry with. Don't be that API.
Caching Implications
This is a sleeper rule that bites people: 501 is heuristically cacheable by default (RFC 9110 § 15.6.2). If a CDN sees a 501 for a URL, it may cache that response for a long time. Be careful — if you're returning 501 due to a deployment bug, your CDN might serve it to other clients for hours.
405 is also cacheable but less aggressively in practice.
When You'll See Each
- 405 is everywhere in REST APIs: trying POST on a list-only endpoint, or DELETE on a read-only resource.
- 501 is rare in modern apps. You'll see it from servers when CONNECT, TRACE, PROPFIND, or other extended methods are sent to a vanilla web server.
In Practice
- Return 405 when the method is well-known but disallowed for this URL. Always include
Allow. - Return 501 when you receive a method your server has no notion of — though most reverse proxies will handle this for you and reject the request before it reaches your app.
- Don't return 501 for "this feature isn't built yet" — that's an internal product decision; return 404 or 403 if the endpoint shouldn't be discoverable, or 503 if temporarily disabled.
Real-World Examples
- Nginx with
limit_except GET POST { deny all; }returns 405 with the appropriateAllowheader. - Apache mod_dav returns 501 when WebDAV methods are sent without DAV being enabled.
Real-World Use Case
A Next.js Route Handler that only exports GET should respond to PUT requests with 405 Method Not Allowed and Allow: GET. In contrast, a custom proxy that doesn't implement HTTP/2 server push frames should respond with 501 to the unsupported method/extension. Never use 501 for 'TODO not implemented yet' — clients (and CDNs) may cache that.
Look Up Any Status Code
Related Comparisons
HTTP 415 vs 406 — Unsupported Media Type vs Not Acceptable Comparison
http 415 vs 406: 415 is about Content-Type the client sent, 406 is about Accept the client wants. Learn the request vs response negotiation difference.
HTTP 401 vs 403 — Unauthorized vs Forbidden Status Code Comparison
Confused about http 401 vs 403? Learn the exact difference between Unauthorized and Forbidden, when each is returned, and how Express, Stripe, and GitHub APIs use them.
HTTP 404 vs 410 — Not Found vs Gone Status Code Comparison
http 404 vs 410: Not Found means the resource may exist later, while Gone signals permanent deletion. Learn how Google indexing, CDN caching, and SEO are affected.
HTTP 414 vs 413 — URI Too Long vs Payload Too Large Comparison
http 414 vs 413: 414 fires when the URL itself is too long, 413 when the request body is too big. Learn typical limits in Nginx, ALB, and Cloudflare.