` when it detects a proxy block. The * header is only honored on POST (other methods pass through untouched), and * only for the safelisted mutation verbs — no route should ever see an * "overridden GET", which would sidestep CSRF-shaped assumptions baked into * the routing layer. */ class MethodOverrideMiddleware { private const ALLOWED_OVERRIDES = ['DELETE', 'PATCH', 'PUT']; public function processRequest(ServerRequestInterface $request): ServerRequestInterface { if (strtoupper($request->getMethod()) !== 'POST') { return $request; } $override = strtoupper(trim($request->getHeaderLine('X-HTTP-Method-Override'))); if ($override === '' || !in_array($override, self::ALLOWED_OVERRIDES, true)) { return $request; } return $request->withMethod($override); } }