A Razor Page will, by default, handle any HTTP method (standard or custom) you throw at it. For instance, even if you have only defined OnGet in your PageModel, and you never intended for the page to handle POST requests, it will respond with 200 OK to a POST request (assuming a NullReferenceException was not thrown while rendering the .cshtml file due to population logic in OnGet never having run.)
It will also silently delegate requests intended for a named handler to an unnamed handler: if you have defined OnGet and OnGetFoo in your PageModel, but you send a GET request for /mypage?handler=Bar (or say, /mypage/bar if you put the handler in the route template), the OnGet method will be invoked.
This gist includes a ExplicitHandlerResolutionPageFilter class that can be added to your application's configuration at startup to tighten up this behavior, so you can be sure that your Razor Pages will only expose exactly the endpoints you intended them to. Just copy it to your project, give it an appropriate namespace, and configure it in your Program.cs or Startup.cs (or whatever) like this:
builder.Services.AddRazorPages(o =>
{
o.Conventions.ConfigureFilter(new ExplicitHandlerResolutionPageFilter());
});
Or like this:
builder.Services.Configure<MvcOptions>(o =>
{
o.Filters.Add(new ExplicitHandlerResolutionPageFilter());
});