HTTP Methods Checker

Probe which HTTP methods appear enabled for a set of URLs and flag potentially risky methods (e.g., TRACE).

This actor uses a combination of:

• OPTIONS request + parsing the Allow response header (when present)
• Optional per-method probing (GET/POST/PUT/PATCH/DELETE/OPTIONS/TRACE...) to infer support

What you get

• Dataset: one item per URL with allowedMethods, per-method results, and detected issues.
• Key-value store:
  • SUMMARY: aggregate counts and top issues
  • REPORT: same as summary (structured JSON)

Input

• Start URLs (startUrls): list of URLs to check (Request List Sources format)
• Max URLs (maxUrls): limit processed URLs
• Request timeout (timeoutSecs): timeout per request
• Follow redirects (followRedirects) + Max redirects (maxRedirects)
• Send OPTIONS request (probeWithOptions)
• Probe methods individually (probeIndividualMethods)
• Methods to test (methodsToTest): array like ["GET","POST","PUT","DELETE","PATCH","OPTIONS","TRACE"]
• Treat 401/403 as supported (treat401And403AsAllowed): consider auth/forbidden as “method exists”
• User-Agent (userAgent)
• Max concurrency (maxConcurrency)
• Proxy configuration (proxyConfiguration)

Output (dataset fields)

Each dataset item includes:

• startUrl, finalUrl, statusCode, redirected, checkedAt
• testedMethods, allowedMethods, disallowedMethods, unknownMethods
• riskyMethodsAllowed (e.g., TRACE)
• securityScore (0–100 heuristic)
• issues (warnings/errors)
• methodResults (status code + allow inference per method)

Notes / limitations

• Some servers omit Allow for OPTIONS, or return generic error codes for uncommon methods.
• WAF/CDN behavior may cause false positives/negatives.
• For body methods (POST/PUT/PATCH) the actor sends an empty body.

Example input

{
  "startUrls": [{"url":"https://example.com"}, {"url":"https://httpbin.org"}],
  "maxUrls": 2,
  "timeoutSecs": 20,
  "probeWithOptions": true,
  "probeIndividualMethods": true,
  "methodsToTest": ["GET","HEAD","POST","PUT","PATCH","DELETE","OPTIONS","TRACE"],
  "maxConcurrency": 2,
  "proxyConfiguration": {"useApifyProxy": false}
}

Quick start

Store page: https://apify.com/scrappy_garden/http-methods-checker

Paste this into Input and click Run:

{
  "startUrls": [
    {
      "url": "https://example.com/"
    }
  ],
  "proxyConfiguration": {
    "useApifyProxy": false
  }
}

Outputs (what you get)

• Dataset: Dataset items typically include fields like: startUrl, finalUrl, statusCode, redirected, optionsAllow, allowedMethods, riskyMethodsAllowed, securityScore, warningCount, errorCount.
• Key-value store: REPORT, SUMMARY

Tips (trust + predictable results)

• Start with 1–3 URLs to validate behavior, then scale up.
• If a target blocks requests, enable Proxy and/or slow down concurrency in Input.
• Use the SUMMARY / REPORT keys (when present) for automation pipelines and monitoring.

Related actors

• broken-link-checker (https://apify.com/scrappy_garden/broken-link-checker)
• canonical-url-checker (https://apify.com/scrappy_garden/canonical-url-checker)
• meta-tag-analyzer (https://apify.com/scrappy_garden/meta-tag-analyzer)
• security-headers-checker (https://apify.com/scrappy_garden/security-headers-checker)

Search keywords

http methods checker, http methods checker - detect enabled methods (trace/put/delete/etc.), website audit, seo