Solved

Disable HTTP OPTIONS method on Apache2.2

Posted on 2014-01-05
4
2,453 Views
Last Modified: 2014-01-09
As web server/site administrators, we will be required to disable certain HTTP methods from the web and app servers we support.  The most common reason to disable these methods is due to some security best practice.

We ran some web assessment tests using third party tools and One of the issues pointed out in the tests were HTTP OPTIONS METHOD.

How do i go about disabling the HTTP OPTIONS METHOD.
0
Comment
Question by:m3mdicl
  • 3
4 Comments
 
LVL 24

Accepted Solution

by:
mankowitz earned 500 total points
ID: 39757842
OPTIONS allows a legitimate (and bad-guy) to know what services are available in your server. WebDAV and CORS use this legitimately, but I can't think of any other applications. Usually, the best thing to do is to disable it completely and only allow the usual web access methods (head, get, put) to go through. You may need to enable more for restful interfaces, but usually not. You can do this with mod Rewrite

In your httpd.conf:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)
RewriteRule .* - [R=405,L]

Open in new window

0
 

Author Comment

by:m3mdicl
ID: 39757845
Is there any other option other than mod_rewrite? My httpd.conf is empty. I am runing apache on ubuntu... I do have a apache2.conf
0
 
LVL 24

Expert Comment

by:mankowitz
ID: 39757853
According to https://help.ubuntu.com/10.04/serverguide/httpd.html, apache2.conf is the configuration file for ubuntu. In other installations, the file is called httpd.conf.
0
 
LVL 24

Expert Comment

by:mankowitz
ID: 39757859
Here is another solution:

Add this to your configuration file

<LimitExcept GET POST>
deny from all
</LimitExcept>
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

A publishing tool, a Version Control System, or a Collaboration Platform! These can be some of the defining words for the two very famous web-hosting Git repositories: Bitbucket and Github. Git is widely used amongst the programmers and developers f…
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to choose which pages of your form are visible to your users based on their inputs. The page rules feature provides you with an opportunity to create if:then statements for y…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question