SWA Proxy Returning 405 Method Not Allowed for POST Request

Question

SWA Proxy Returning 405 Method Not Allowed for POST Request

Ian Thomson 0

The backend API at https://changemanagement-backend-ahfre3hvgcerbrgp.canadacentral-01.azurewebsites.net/api/auth/login works correctly with POST when called directly. The Static Web App (SWA) at https://happy-dune-05915200f.6.azurestaticapps.net is configured with staticwebapp.config.json to proxy /api/* (including POST methods) to this backend.

The SWA "Application Configuration" view in the portal shows that it has parsed the rewrite rule correctly. However, when the frontend (served by SWA) makes a POST request to /api/auth/login, SWA returns a 405 Method Not Allowed with an Allow: GET, HEAD, OPTIONS header, and the browser does not seem to be sending an OPTIONS preflight request.

This indicates that the SWA proxy is not correctly applying the routing/method rules for the POST request. Additional support from Azure may be needed to address this issue.

Prabhavathi Manchala 2,315 Reputation points Microsoft External Staff Moderator

2025-05-30T01:13:58.7+00:00
Hi Ian Thomson,

Your Static Web App (SWA) is returning a 405 Method Not Allowed error when making a POST request to /api/auth/login, even though your backend API (hosted on Azure App Service) works correctly when called directly. This happens because SWA is not forwarding the POST request as expected—it’s allowing only GET, HEAD, and OPTIONS methods through its proxy for that path.

By default, SWA reserves the /api/* path for Azure Functions. So unless you explicitly configure a rewrite or proxy rule in your staticwebapp.config.json, SWA will assume you're calling a built-in function. In your case, even though you're trying to route to an external API, SWA is still treating /api/* as an internal route and rejecting unsupported methods like POST. This is likely due to a missing or incorrect proxy rule in the config file.

To fix this issue, you need to update your staticwebapp.config.json to clearly tell SWA to forward all /api/* requests to your external backend and allow all HTTP methods like POST.

Below is the suggested configuration:

{ "routes": [ { "route": "/api/*", "rewrite": "https://changemanagement-backend-ahfre3hvgcerbrgp.canadacentral-01.azurewebsites.net/api/*", "allowedMethods": ["GET", "POST", "PUT", "DELETE", "OPTIONS", "HEAD", "PATCH"] } ], "responseOverrides": { "404": { "rewrite": "/index.html" } } }

Use rewrite (not proxy) to forward /api/* with POST and OPTIONS allowed, clearly configure /api/* if no Azure Functions are used, update and deploy your staticwebapp.config.json to avoid conflicts, then test to confirm POST works properly.

Static Web Apps Configuration

Azure Static Web Apps with API

Ian Thomson 0

I updated it (see below). I still get the same error message. I am not sure what I am doing wrong.

{
  "routes": [
    {
      "route": "/api/*",
      "allowedMethods": ["GET", "POST", "PUT", "DELETE", "OPTIONS", "HEAD", "PATCH"],
      "rewrite": "https://changemanagement-backend-ahfre3hvgcerbrgp.canadacentral-01.azurewebsites.net/api/{*restOfPath}"
    }
  ],
  "navigationFallback": {
    "rewrite": "/index.html",
    "exclude": ["/static/css/*", "/static/js/*", "/static/media/*", "*.{png,jpg,gif,svg,ico}"]
  },
  "globalHeaders": {
    "Content-Security-Policy": "default-src https: 'unsafe-eval' 'unsafe-inline'; object-src 'none'"
  },
  "mimeTypes": {
    ".json": "application/json",
    ".webmanifest": "application/manifest+json"
  }
}

Prabhavathi Manchala 2,315 Microsoft External Staff Moderator

Hi Ian Thomson,

Apologies for the inconvenience, could you please try the updated code below.

{
  "routes": [
    {
      "route": "/api/*",
      "rewrite": "https://changemanagement-backend-ahfre3hvgcerbrgp.canadacentral-01.azurewebsites.net/api/:rest*",
      "allowedMethods": ["GET", "POST", "PUT", "DELETE", "OPTIONS", "HEAD", "PATCH"],
      "headers": {
        "Access-Control-Allow-Origin": "*",
        "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS, HEAD, PATCH",
        "Access-Control-Allow-Headers": "*"
      }
    }
  ],
  "navigationFallback": {
    "rewrite": "/index.html",
    "exclude": ["/static/css/*", "/static/js/*", "/static/media/*", "*.{png,jpg,gif,svg,ico}"]
  },
  "globalHeaders": {
    "Content-Security-Policy": "default-src https: 'unsafe-eval' 'unsafe-inline'; object-src 'none'",
    "Access-Control-Allow-Origin": "*"
  },
  "mimeTypes": {
    ".json": "application/json",
    ".webmanifest": "application/manifest+json"
  }
}

Ian Thomson 0 Reputation points

2025-05-30T03:11:56.86+00:00

Thank you so much for your help so far. I am trying it now, just waiting for the build to complete. Quick question, should it me methods or allowedMethods. I am getting this from the console: allow

GET, HEAD, OPTIONS

content-length

0

date

Fri, 30 May 2025 03:11:08 GMT
Ian Thomson 0 Reputation points

2025-05-30T03:13:54.6666667+00:00

When I look at the routes, there is nothing defined.
Prabhavathi Manchala 2,315 Reputation points Microsoft External Staff Moderator

2025-05-30T03:56:41.2666667+00:00

Hi Ian Thomson,

Quick question, should it be methods or allowedMethods.

The correct property name is allowedMethods, which Azure Static Web Apps (SWA) uses to define the allowed HTTP methods for a route. If you use methods instead or omit allowedMethods, SWA defaults to allowing only GET, HEAD, and OPTIONS requests, causing the header to display allow: GET, HEAD, OPTIONS.

When you say there is nothing defined in the routes, it usually means your staticwebapp.config.json file either doesn’t have a routes section or wasn’t deployed properly. As a result, the Static Web App uses the default settings and doesn’t know to send your /api/* calls to the backend, causing the 405 errors.

Make sure your staticwebapp.config.json file has the routes section with your proxy or rewrite rules, and that the file is committed and pushed to the branch your Static Web App builds from. Wait for the build and deployment to finish, Then, verify that your route rules appear in the Azure Portal.
Ian Thomson 0 Reputation points

2025-05-30T15:25:15.48+00:00

the staticwebapp.config.json is in the frontend directory. It is defined as you suggested. Folling are results from the deploy: So we know it is using the file. But nothing defined in the routes section.

---End of Oryx build logs---

163Try to validate location at: '/bin/staticsites/bac82bc2-2922-445f-9fda-b7ac48e312de-swa-oryx/app/build'.

164Finished building app with Oryx

165Using 'staticwebapp.config.json' file for configuration information, 'routes.json' will be ignored.

166Copying 'staticwebapp.config.json' to build output

167No Api directory specified. Azure Functions will not be created.

168Either no Api directory was specified, or the specified directory was not found. Azure Functions will not be created.

169Zipping App Artifacts

170Done Zipping App Artifacts

171Uploading build artifacts.

172Finished Upload. Polling on deployment.

173Status: InProgress. Time: 0.1695364(s)

174Status: InProgress. Time: 15.2812391(s)

Ian Thomson 0

Here is the contents of the config file.

{

"routes": [

{

  "route": "/api/*",

  "rewrite": "https://changemanagement-backend-ahfre3hvgcerbrgp.canadacentral-01.azurewebsites.net/api/:rest*",

  "allowedMethods": ["GET", "POST", "PUT", "DELETE", "OPTIONS", "HEAD", "PATCH"],

  "headers": {

    "Access-Control-Allow-Origin": "*",

    "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS, HEAD, PATCH",

    "Access-Control-Allow-Headers": "*"

  }

}

],

"navigationFallback": {

"rewrite": "/index.html",

"exclude": ["/static/css/*", "/static/js/*", "/static/media/*", "*.{png,jpg,gif,svg,ico}"]

},

"globalHeaders": {

"Content-Security-Policy": "default-src https: 'unsafe-eval' 'unsafe-inline'; object-src 'none'",

"Access-Control-Allow-Origin": "*"

},

"mimeTypes": {

".json": "application/json",

".webmanifest": "application/manifest+json"

}

Ian Thomson 0 Reputation points

2025-05-30T16:54:34.5133333+00:00

However it still does not work. I am at a loss.
Bodapati Harish 820 Reputation points Microsoft External Staff Moderator

2025-06-03T15:43:31.7066667+00:00

Hello Ian Thomson

One more thing to check is whether your App Service itself is correctly handling the OPTIONS (preflight) request. Even if SWA’s config allows OPTIONS, if the backend immediately returns 405 on OPTIONS, the browser will never send the POST. Try sending a raw OPTIONS request (via curl or Postman) to https://changemanagement-backend-…/api/auth/login and see if you get back a 200 with the proper CORS headers.

In many frameworks you also need to explicitly enable CORS in the server code (e.g. call app.UseCors(...) before your routes in ASP.NET Core, or add an OPTIONS handler in Node/Express). If OPTIONS is failing at the App Service layer, SWA won’t be able to proxy the POST, so fixing that preflight response usually solves the 405.
Bodapati Harish 820 Reputation points Microsoft External Staff Moderator

2025-06-04T09:55:08.8466667+00:00

Hello Ian Thomson

Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.

1 answer

Your answer

Prabhavathi Manchala 2,315 Reputation points Microsoft External Staff Moderator

2025-05-30T01:13:58.7+00:00

Hi Ian Thomson,

Your Static Web App (SWA) is returning a 405 Method Not Allowed error when making a POST request to /api/auth/login, even though your backend API (hosted on Azure App Service) works correctly when called directly. This happens because SWA is not forwarding the POST request as expected—it’s allowing only GET, HEAD, and OPTIONS methods through its proxy for that path.

By default, SWA reserves the /api/* path for Azure Functions. So unless you explicitly configure a rewrite or proxy rule in your staticwebapp.config.json, SWA will assume you're calling a built-in function. In your case, even though you're trying to route to an external API, SWA is still treating /api/* as an internal route and rejecting unsupported methods like POST. This is likely due to a missing or incorrect proxy rule in the config file.

To fix this issue, you need to update your staticwebapp.config.json to clearly tell SWA to forward all /api/* requests to your external backend and allow all HTTP methods like POST.

Below is the suggested configuration:

{ "routes": [ { "route": "/api/*", "rewrite": "https://changemanagement-backend-ahfre3hvgcerbrgp.canadacentral-01.azurewebsites.net/api/*", "allowedMethods": ["GET", "POST", "PUT", "DELETE", "OPTIONS", "HEAD", "PATCH"] } ], "responseOverrides": { "404": { "rewrite": "/index.html" } } }

Use rewrite (not proxy) to forward /api/* with POST and OPTIONS allowed, clearly configure /api/* if no Azure Functions are used, update and deploy your staticwebapp.config.json to avoid conflicts, then test to confirm POST works properly.

Static Web Apps Configuration

Azure Static Web Apps with API
Ian Thomson 0 Reputation points

2025-05-30T02:17:07.1566667+00:00

I updated it (see below). I still get the same error message. I am not sure what I am doing wrong.

{ "routes": [ { "route": "/api/*", "allowedMethods": ["GET", "POST", "PUT", "DELETE", "OPTIONS", "HEAD", "PATCH"], "rewrite": "https://changemanagement-backend-ahfre3hvgcerbrgp.canadacentral-01.azurewebsites.net/api/{*restOfPath}" } ], "navigationFallback": { "rewrite": "/index.html", "exclude": ["/static/css/*", "/static/js/*", "/static/media/*", "*.{png,jpg,gif,svg,ico}"] }, "globalHeaders": { "Content-Security-Policy": "default-src https: 'unsafe-eval' 'unsafe-inline'; object-src 'none'" }, "mimeTypes": { ".json": "application/json", ".webmanifest": "application/manifest+json" } }
Prabhavathi Manchala 2,315 Reputation points Microsoft External Staff Moderator

2025-05-30T03:00:23.4566667+00:00

Hi Ian Thomson,

Apologies for the inconvenience, could you please try the updated code below.

{ "routes": [ { "route": "/api/*", "rewrite": "https://changemanagement-backend-ahfre3hvgcerbrgp.canadacentral-01.azurewebsites.net/api/:rest*", "allowedMethods": ["GET", "POST", "PUT", "DELETE", "OPTIONS", "HEAD", "PATCH"], "headers": { "Access-Control-Allow-Origin": "*", "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS, HEAD, PATCH", "Access-Control-Allow-Headers": "*" } } ], "navigationFallback": { "rewrite": "/index.html", "exclude": ["/static/css/*", "/static/js/*", "/static/media/*", "*.{png,jpg,gif,svg,ico}"] }, "globalHeaders": { "Content-Security-Policy": "default-src https: 'unsafe-eval' 'unsafe-inline'; object-src 'none'", "Access-Control-Allow-Origin": "*" }, "mimeTypes": { ".json": "application/json", ".webmanifest": "application/manifest+json" } }
Ian Thomson 0 Reputation points

2025-05-30T03:11:56.86+00:00

Thank you so much for your help so far. I am trying it now, just waiting for the build to complete. Quick question, should it me methods or allowedMethods. I am getting this from the console: allow

GET, HEAD, OPTIONS

content-length

0

date

Fri, 30 May 2025 03:11:08 GMT
Ian Thomson 0 Reputation points

2025-05-30T03:13:54.6666667+00:00

When I look at the routes, there is nothing defined.
Prabhavathi Manchala 2,315 Reputation points Microsoft External Staff Moderator

2025-05-30T03:56:41.2666667+00:00

Hi Ian Thomson,

Quick question, should it be methods or allowedMethods.

The correct property name is allowedMethods, which Azure Static Web Apps (SWA) uses to define the allowed HTTP methods for a route. If you use methods instead or omit allowedMethods, SWA defaults to allowing only GET, HEAD, and OPTIONS requests, causing the header to display allow: GET, HEAD, OPTIONS.

When you say there is nothing defined in the routes, it usually means your staticwebapp.config.json file either doesn’t have a routes section or wasn’t deployed properly. As a result, the Static Web App uses the default settings and doesn’t know to send your /api/* calls to the backend, causing the 405 errors.

Make sure your staticwebapp.config.json file has the routes section with your proxy or rewrite rules, and that the file is committed and pushed to the branch your Static Web App builds from. Wait for the build and deployment to finish, Then, verify that your route rules appear in the Azure Portal.
Ian Thomson 0 Reputation points

2025-05-30T15:25:15.48+00:00

the staticwebapp.config.json is in the frontend directory. It is defined as you suggested. Folling are results from the deploy: So we know it is using the file. But nothing defined in the routes section.

---End of Oryx build logs---

163Try to validate location at: '/bin/staticsites/bac82bc2-2922-445f-9fda-b7ac48e312de-swa-oryx/app/build'.

164Finished building app with Oryx

165Using 'staticwebapp.config.json' file for configuration information, 'routes.json' will be ignored.

166Copying 'staticwebapp.config.json' to build output

167No Api directory specified. Azure Functions will not be created.

168Either no Api directory was specified, or the specified directory was not found. Azure Functions will not be created.

169Zipping App Artifacts

170Done Zipping App Artifacts

171Uploading build artifacts.

172Finished Upload. Polling on deployment.

173Status: InProgress. Time: 0.1695364(s)

174Status: InProgress. Time: 15.2812391(s)
Ian Thomson 0 Reputation points

2025-05-30T15:27:52.9466667+00:00

Here is the contents of the config file.

{

"routes": [

{ "route": "/api/*", "rewrite": "https://changemanagement-backend-ahfre3hvgcerbrgp.canadacentral-01.azurewebsites.net/api/:rest*", "allowedMethods": ["GET", "POST", "PUT", "DELETE", "OPTIONS", "HEAD", "PATCH"], "headers": { "Access-Control-Allow-Origin": "*", "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS, HEAD, PATCH", "Access-Control-Allow-Headers": "*" } }

],

"navigationFallback": {

"rewrite": "/index.html", "exclude": ["/static/css/*", "/static/js/*", "/static/media/*", "*.{png,jpg,gif,svg,ico}"]

},

"globalHeaders": {

"Content-Security-Policy": "default-src https: 'unsafe-eval' 'unsafe-inline'; object-src 'none'", "Access-Control-Allow-Origin": "*"

},

"mimeTypes": {

".json": "application/json", ".webmanifest": "application/manifest+json"

}

}
Ian Thomson 0 Reputation points

2025-05-30T16:54:34.5133333+00:00

However it still does not work. I am at a loss.
Bodapati Harish 820 Reputation points Microsoft External Staff Moderator

2025-06-03T15:43:31.7066667+00:00

Hello Ian Thomson

One more thing to check is whether your App Service itself is correctly handling the OPTIONS (preflight) request. Even if SWA’s config allows OPTIONS, if the backend immediately returns 405 on OPTIONS, the browser will never send the POST. Try sending a raw OPTIONS request (via curl or Postman) to https://changemanagement-backend-…/api/auth/login and see if you get back a 200 with the proper CORS headers.

In many frameworks you also need to explicitly enable CORS in the server code (e.g. call app.UseCors(...) before your routes in ASP.NET Core, or add an OPTIONS handler in Node/Express). If OPTIONS is failing at the App Service layer, SWA won’t be able to proxy the POST, so fixing that preflight response usually solves the 405.
Bodapati Harish 820 Reputation points Microsoft External Staff Moderator

2025-06-04T09:55:08.8466667+00:00

Hello Ian Thomson

Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.

Answer 1

Hello Ian Thomson,

First, SWA needs a special configuration file named staticwebapp.config.json right beside your built index.html. During your build or deployment, you should see a message like below.

Copying 'staticwebapp.config.json' to build output

If you don’t see that, SWA never picked up the file and will ignore any proxy rules you wrote. Make sure the file actually lives in the final folder that SWA publishes.

Inside that file, SWA expects you to use the word methods, not “allowedMethods.” If you write “allowedMethods,” SWA will act as if you only asked it to allow GET, HEAD, and OPTIONS, and it will reject POST. You also must use a placeholder called {*restOfPath} so that SWA knows to take whatever comes after /api/ and append it to the backend URL exactly. If you use any other placeholder, SWA won’t match the rule at all, and you’ll still see “No routes to display” in the portal.

A simple, correct staticwebapp.config.json might look like this check below.

{

  "routes": [

    {

      "route": "/api/*",

      "methods": ["GET","POST","PUT","DELETE","OPTIONS","HEAD","PATCH"],

      "rewrite": "https://changemanagement-backend-ahfre3hvgcerbrgp.canadacentral-01.azurewebsites.net/api/{*restOfPath}"

    }

  ],

  "navigationFallback": {

    "rewrite": "/index.html",

    "exclude": [

      "/static/css/*",

      "/static/js/*",

      "/static/media/*",

      "*.{png,jpg,gif,svg,ico}"

    ]

  }

}

After you save and push that file, wait for your SWA build to finish. Then check under Configuration < Route Rules in the Azure portal. You should see your /api/* rule with all the HTTP verbs listed. If it still says, “No routes,” SWA isn’t seeing your file, so you’ll need to double-check where you placed it.

Once SWA is configured to forward POST, PUT, DELETE, and so on, the browser will send a small “preflight” check called an OPTIONS request before the actual POST. Even though SWA will forward that OPTIONS request to your backend, your backend must answer it without a 405 error—otherwise, the browser never moves on to POST. To test this, open a terminal and run exactly this command:


curl -i -X OPTIONS \

  -H "Origin: https://happy-dune-05915200f.6.azurestaticapps.net" \

  -H "Access-Control-Request-Method: POST" \

  https://changemanagement-backend-ahfre3hvgcerbrgp.canadacentral-01.azurewebsites.net/api/auth/login

If the App Service is set up correctly, you should see - HTTP/1.1 200 OK

But if you see 405 Method Not Allowed, your server is refusing that preflight check. In that case, you need to add CORS support or an OPTIONS handler in the code so that when the browser asks, “Can I send a POST?” your server replies “Yes, you can.” For example, in ASP .NET Core you might call app.UseCors(...) so that OPTIONS requests return 200 with the right headers. In Node or Express you might use the cors middleware or add a small route like below.


app.options("/api/auth/login", (req, res) => {

  res.set({

    "Access-Control-Allow-Origin": "https://happy-dune-05915200f.6.azurestaticapps.net",

    "Access-Control-Allow-Methods": "GET, POST, OPTIONS, PUT, DELETE",

    "Access-Control-Allow-Headers": "Content-Type, Authorization"

  });

  return res.sendStatus(200);

});

Once the backend answers OPTIONS with a 200 and the CORS headers, SWA can forward the actual POST. To confirm everything is working, try sending a POST directly through your SWA domain (this skips the browser and any cached CORS decisions).


curl -i -X POST \

  -H "Content-Type: application/json" \

  -d '{"username":"alice","password":"secret"}' \

  https://happy-dune-05915200f.6.azurestaticapps.net/api/auth/login

If SWA is forwarding correctly and the backend is accepting POST, you will see whatever response the App Service sends back no more 405 error. Hope this helps!

If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions, please reply back.

Bodapati Harish 820 Reputation points Microsoft External Staff Moderator

2025-06-06T08:28:28.0533333+00:00

Hello Ian Thomson,

Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
Bodapati Harish 820 Reputation points Microsoft External Staff Moderator

2025-06-09T07:44:53.51+00:00

Hello Ian Thomson,

Following up to check if the issue is resolved or if you need any further assistance. Let me know how it's going.

Share via

SWA Proxy Returning 405 Method Not Allowed for POST Request

1 answer

Your answer