Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3365
  • Last Modified:

Disable HTTP OPTIONS method on Apache2.2

As web server/site administrators, we will be required to disable certain HTTP methods from the web and app servers we support.  The most common reason to disable these methods is due to some security best practice.

We ran some web assessment tests using third party tools and One of the issues pointed out in the tests were HTTP OPTIONS METHOD.

How do i go about disabling the HTTP OPTIONS METHOD.
0
m3mdicl
Asked:
m3mdicl
  • 3
1 Solution
 
mankowitzCommented:
OPTIONS allows a legitimate (and bad-guy) to know what services are available in your server. WebDAV and CORS use this legitimately, but I can't think of any other applications. Usually, the best thing to do is to disable it completely and only allow the usual web access methods (head, get, put) to go through. You may need to enable more for restful interfaces, but usually not. You can do this with mod Rewrite

In your httpd.conf:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)
RewriteRule .* - [R=405,L]

Open in new window

0
 
m3mdiclAuthor Commented:
Is there any other option other than mod_rewrite? My httpd.conf is empty. I am runing apache on ubuntu... I do have a apache2.conf
0
 
mankowitzCommented:
According to https://help.ubuntu.com/10.04/serverguide/httpd.html, apache2.conf is the configuration file for ubuntu. In other installations, the file is called httpd.conf.
0
 
mankowitzCommented:
Here is another solution:

Add this to your configuration file

<LimitExcept GET POST>
deny from all
</LimitExcept>
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now