Solved

Disable HTTP OPTIONS method on Apache2.2

Posted on 2014-01-05
4
2,230 Views
Last Modified: 2014-01-09
As web server/site administrators, we will be required to disable certain HTTP methods from the web and app servers we support.  The most common reason to disable these methods is due to some security best practice.

We ran some web assessment tests using third party tools and One of the issues pointed out in the tests were HTTP OPTIONS METHOD.

How do i go about disabling the HTTP OPTIONS METHOD.
0
Comment
Question by:m3mdicl
  • 3
4 Comments
 
LVL 24

Accepted Solution

by:
mankowitz earned 500 total points
ID: 39757842
OPTIONS allows a legitimate (and bad-guy) to know what services are available in your server. WebDAV and CORS use this legitimately, but I can't think of any other applications. Usually, the best thing to do is to disable it completely and only allow the usual web access methods (head, get, put) to go through. You may need to enable more for restful interfaces, but usually not. You can do this with mod Rewrite

In your httpd.conf:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)
RewriteRule .* - [R=405,L]

Open in new window

0
 

Author Comment

by:m3mdicl
ID: 39757845
Is there any other option other than mod_rewrite? My httpd.conf is empty. I am runing apache on ubuntu... I do have a apache2.conf
0
 
LVL 24

Expert Comment

by:mankowitz
ID: 39757853
According to https://help.ubuntu.com/10.04/serverguide/httpd.html, apache2.conf is the configuration file for ubuntu. In other installations, the file is called httpd.conf.
0
 
LVL 24

Expert Comment

by:mankowitz
ID: 39757859
Here is another solution:

Add this to your configuration file

<LimitExcept GET POST>
deny from all
</LimitExcept>
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now