Yii2 - 405 on REST POST over HTTPS


I have REST POST route that works perfectly over HTTP, as soon as I make the same request over HTTPS(SSL) I get a 405 (method not allowed). I have looked at explicitly allowing the POST method on the CREATE action in the AccessControlFilter


  'allow' => true,

  'actions' => ['create'],

  'verbs' => ['GET', 'POST'],


That hasn’t solved the problem. I have tried setting this with the VerbFilter

$behaviors['verbs'] = [

                'class' => \yii\filters\VerbFilter::className(),

                'actions' => [


                    'create' => ['get', 'post'],




and that doesn’t seem to do the work either. I am yet to dig deeper into the VerbFilter class code just to understand a bit better what’s going on (because the exception is being thrown from there - I believe), but I was wondering if anyone has any leads on what could be causing the error and what would be the possible solution.

  1. Is it something with the urlManager and setting specific rules?

  2. Could it be to do with the CSRF token? I doubt though because the request is handled okay over HTTP

  3. …?

I will appreciate any leads.


------- Extra info ----------

I have tried this with the Postman REST client, curl and an Android client.

The exact error that I’m getting is

{"name":"Method Not Allowed","message":"Method Not Allowed. This url can only handle the following request methods: POST.","code":0,"status":405}

so it seems that somehow the request is not being seen as a POST request by the VerbFilter. As I indicated this only happens when the request is made over HTTPS.


You can declare the one public variable…

I have public $enableCsrfValidation = false; , this works but not sounds nice.

Thanks for the suggestion.

I managed to find the solution : I am using a custom urlManager to handle secure/nonsecure routes on my application (as per http://www.yiiframework.com/wiki/407/url-management-for-websites-with-secure-and-nonsecure-pages/) and since the REST interface is implemented in a module, my urlManager was not able to process the request correctly. The fix is an update to the isSecureRoute() function as suggest in that same post by avner (on 2015/03/30 at 06:40pm)