Missing Allow Header in HTTP 405 Responses

[jonatanguillen]

Actual behavior (the bug)
When a 405 Method Not Allowed response is returned, it does not include the Allow header specifying the supported HTTP methods. This is not compliant with the HTTP specification.

Expected behavior
The response should include an Allow header listing the HTTP methods that are supported by the target resource, as required by the HTTP/1.1 specification.

To Reproduce

1. Send a request to an endpoint using an unsupported HTTP method.
2. Observe the response returned with status code 405.
3. Check the headers — the Allow header is missing.

Additional context
According to the HTTP/1.1 specification:

The 405 (Method Not Allowed) status code indicates that the method received in the request-line is known by the origin server but not supported by the target resource. The origin server MUST generate an Allow header field in a 405 response containing a list of the target resource's currently supported methods.

[RedHeadEmile]

Also, would it be possible to add to the documentation that you need to set

Javalin.create(config -> {
            config.http.prefer405over404 = true;
            ....

To get a 405 instead of a 404. I would have liked that to be the default behaviour.

[Playacem]

I personally hope this option would never become a default as that would reveal information about existing paths by default, which is not desirable from a security perspective.