We help IT Professionals succeed at work.

Get rid of "OPTIONS"

Medium Priority
393 Views
Last Modified: 2013-12-02
I have a web server that shows the Allow OPTIONS request method. I would like to disable this option so you cannot see it on the remote host. I have attached a screenshot of the issue.
 Image of actual screen
Comment
Watch Question

gr8gonzoConsultant
CERTIFIED EXPERT

Commented:
Put this in your Apache config in the appropriate spot (either in the main server section or in one of the vhosts):

<LimitExcept GET POST>
Deny from all
 </LimitExcept>
 
That should prevent everything except GET, HEAD, and POST. You can add DELETE and TRACE and PUT to the first line if you want to allow that, but it sounds like you're trying to lock things down.
gr8gonzoConsultant
CERTIFIED EXPERT

Commented:
You'll have to restart the web service for config changes to take effect, too.

Author

Commented:
Can you be more exact on the file that would need these changes? I have Server.xml and Web.xml and many other files but not sure what Apache Config file I would modify.
Consultant
CERTIFIED EXPERT
Commented:
You should have an httpd.conf file. I'm assuming you're using Apache, since that's one of the areas under which this question is listed?

Unless someone has manually installed Apache, it would probably be in your Program FIles folder somewhere. My path on Windows 7 is:

C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\httpd.conf

It sounds like you're a little unfamiliar with Apache configuration. I'm not trying to be condescending, but why are you removing the "OPTIONS" ? Typically, the people who administrate the server (and would be familiar with the location of the config files) are the ones who want this type of change. It's a little dangerous to try to modify a configuration file if you don't know the structure of it...

Author

Commented:
I am very unfamiliar with Apache of any type. Not my area of expertise I assure you. Third party install and they do not know how to handle it either. Found this during an external PIN test and it is required that I remove it. This is my folder structure which may help a little to understand what I am running. C:\Program Files\Apache Software Foundation\Tomcat 5.0 then I am at the full blown folder structure of the app.
gr8gonzoConsultant
CERTIFIED EXPERT

Commented:
You may want to change this zone over to Tomcat instead of Apache.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.