diff --git a/app/http/app.js b/app/http/app.js
index a1e4f4a..9dc8e04 100644
--- a/app/http/app.js
+++ b/app/http/app.js
@@ -131,3 +131,7 @@ router.delete(
     })
   }
 )
+
+router.all('*', (req, res) => {
+  handle.methodNotAllowed(res, 'GET, POST, PUT, DELETE')
+})
diff --git a/test/http/errorsTest.js b/test/http/errorsTest.js
index a3877e4..d45935f 100644
--- a/test/http/errorsTest.js
+++ b/test/http/errorsTest.js
@@ -73,4 +73,17 @@ describe('errors', () => {
         else validate.error(res.body).then(done)
       })
   })
+
+  it('should refuse unkown methods, such as PATCH', (done) => {
+    request(app)
+      .patch('/lalala')
+      .auth(config.username, config.password)
+      .expect(405)
+      .expect('Allow', 'GET, POST, PUT, DELETE')
+      .expect('Content-Type', /json/)
+      .end((err, res) => {
+        if (err) done(err)
+        else validate.error(res.body).then(done)
+      })
+  })
 })