Block unneeded HTTP verbs before Rails

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Description

Currently, we allow unusual HTTP verbs to reach gitlab-rails, resulting in errors like the following:

https://sentry.gitlap.com/gitlab/gitlabcom/issues/18195/

The actual list of permitted verbs is extremely broad - are we ever going to need WebDAV support for instance?

Proposal

Implement a block in NGINX or workhorse so that only HTTP verbs we use are permitted through to Rails. This reduces the cost of handling these kinds of requests, and also happens to clean up sentry for us.

My first instinct is to put such a block in the NGINX configuration, so I've opened the issue here, but it could be workhorse. Wdyt @jacobvosmaer-gitlab @maratkalibek ?

/cc @smcgivern

Edited Sep 25, 2025 by 🤖 GitLab Bot 🤖