Skip to main content

Apr 21, 2021 - 2 minute read - API Testing API Challenges Evil Tester

Challenge 13 - How To - OPTIONS todos - 200

This post and video shows how to complete the challenge OPTIONS /todos (200) to successfully identify the allowed verbs for an API End Point.

What are the API Challenges?

Our API Challenges Application has a fully functional cloud hosted API, and a set of challenges to work through.

OPTIONS /todos (200)

Issue an OPTIONS request on the /todos end point. You might want to manually check the ‘Allow’ header in the response is as expected.

  • OPTIONS request will receive a response with no body, just headers if the provided end point exists i.e the /todos end point
    • e.g. OPTIONS /todos to show the allowed verbs for the todos endpoint
  • 200 is a success code, in this case it means the end point exists and the OPTIONS verb is allowed
  • The body of the message is empty
  • add the X-CHALLENGER header to track progress
  • the important header in the response is the allow header as this lists all the allowed verbs to use on the end point.

Basic Instructions

  • Issue an OPTIONS request to end point “/todos”
    • if running locally that endpoint would be
      • http://localhost:4567/todos
    • if running in the cloud that endpoint would be
      • https://apichallenges.herokuapp.com/todos
  • The request should have an X-CHALLENGER header to track challenge completion
  • The response status code should be 200 when all the details are valid.
  • Check the allow header in the response has valid values

As a set of follow on exercises:

  • try OPTIONS on a few other endpoints in the API and see if the allow values are different.
  • Try to issue requests for each of the allowed verbs.

Insomnia Details

> OPTIONS /todos HTTP/1.1
> Host: apichallenges.herokuapp.com
> User-Agent: insomnia/2020.3.3
> X-CHALLENGER: x-challenger-guid
> Accept: */*
< HTTP/1.1 200 OK
< Connection: close
< Date: Mon, 12 Apr 2021 09:41:34 GMT
< Allow: OPTIONS, GET, HEAD, POST
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Headers: *
< X-Challenger: x-challenger-guid
< Content-Type: text/html;charset=utf-8
< Server: Jetty(9.4.z-SNAPSHOT)
< Via: 1.1 vegur

Overview Video

Watch on YouTube

Patreon ad free version

Learn More and Start Testing


You will need a Github account to comment. Or you can contact me with your comment.

I reserve the right to delete spam comments e.g. if your comment adds no value and its purpose is simply to create a backlink to another site offering training, or courses, etc.