Some API endpoints may expose access to undocumented verbs (PUT, DELETE, OPTIONS, etc.).
These hidden API operations arise when developers forget to properly remove an depreciated API operation, or when the API server framework supports HTTP verbs by default and have not been explicitly disabled.
If you don’t securely handle unsupported operations, with a HTTP 409 response for example, it may cause unexpected behavior from your API that can be exploited.
Learn best practices to identify and remove security misconfiguration vulnerabilities in your API.