Solved

Disable HTTP OPTIONS method on Apache2.2

Posted on 2014-01-05
4
2,959 Views
Last Modified: 2014-01-09
As web server/site administrators, we will be required to disable certain HTTP methods from the web and app servers we support.  The most common reason to disable these methods is due to some security best practice.

We ran some web assessment tests using third party tools and One of the issues pointed out in the tests were HTTP OPTIONS METHOD.

How do i go about disabling the HTTP OPTIONS METHOD.
0
Comment
Question by:m3mdicl
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 24

Accepted Solution

by:
mankowitz earned 500 total points
ID: 39757842
OPTIONS allows a legitimate (and bad-guy) to know what services are available in your server. WebDAV and CORS use this legitimately, but I can't think of any other applications. Usually, the best thing to do is to disable it completely and only allow the usual web access methods (head, get, put) to go through. You may need to enable more for restful interfaces, but usually not. You can do this with mod Rewrite

In your httpd.conf:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)
RewriteRule .* - [R=405,L]

Open in new window

0
 

Author Comment

by:m3mdicl
ID: 39757845
Is there any other option other than mod_rewrite? My httpd.conf is empty. I am runing apache on ubuntu... I do have a apache2.conf
0
 
LVL 24

Expert Comment

by:mankowitz
ID: 39757853
According to https://help.ubuntu.com/10.04/serverguide/httpd.html, apache2.conf is the configuration file for ubuntu. In other installations, the file is called httpd.conf.
0
 
LVL 24

Expert Comment

by:mankowitz
ID: 39757859
Here is another solution:

Add this to your configuration file

<LimitExcept GET POST>
deny from all
</LimitExcept>
0

Featured Post

Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to choose which pages of your form are visible to your users based on their inputs. The page rules feature provides you with an opportunity to create if:then statements for y…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question