Safe approach to HTTP request methods with a graphql/API application that only requires GET and POST – Information Security Stack Exchange

My application uses GET for requests for the main application and POST for the API route.

I’ve read here that best HEAD should be allowed in best practice as crawlers etc can use it and it is generally considered safe (in the way GET is as it doesn’t mutate data).

So it would seem that no other request methods are required by my app and I can filter incoming requests to check if the request methods is either HEAD, GET or POST, throwing a 501 Not Implemented error if that is the case.

Can anyone see any problems I may run in to if I take this approach? Thanks.