Question

HTTP OPTIONS method is enabled on NG Web servers by default, how to disable it?

The following nmap check reveals the method is enabled:

[root@web1 ~]# nmap -p 443,80 --script http-methods localhost

80/tcp  open  http
|_http-methods: GET HEAD POST OPTIONS
443/tcp open  https
|_http-methods: GET HEAD POST OPTIONS

Resolution

In order to disable the OPTIONS and any other HTTP method, alter /etc/httpd/conf.d/ng_custom.conf configuration file and add the following section:

<Location />
<LimitExcept GET POST>
order deny,allow
deny from all
</LimitExcept>
</Location>

This configuration allows only GET and POST methods on the web server.

Restart Apache afterwards:

# service httpd restart

Once the configuration is applied, the check will return 403 error:

[root@web1 ~]# nmap -p 443,80 --script http-methods localhost

PORT    STATE SERVICE
80/tcp  open  http
|_http-methods: No Allow or Public header in OPTIONS response (status code 403)
443/tcp open  https
|_http-methods: No Allow or Public header in OPTIONS response (status code 403)

HTTP methods description: Method Definitions

Internal content