Question
HTTP OPTIONS method is enabled on NG Web servers by default, how to disable it?
The following nmap
check reveals the method is enabled:
[root@web1 ~]# nmap -p 443,80 --script http-methods localhost
80/tcp open http
|_http-methods: GET HEAD POST OPTIONS
443/tcp open https
|_http-methods: GET HEAD POST OPTIONS
Resolution
In order to disable the OPTIONS and any other HTTP method, alter /etc/httpd/conf.d/ng_custom.conf
configuration file and add the following section:
<Location />
<LimitExcept GET POST>
order deny,allow
deny from all
</LimitExcept>
</Location>
This configuration allows only GET and POST methods on the web server.
Restart Apache afterwards:
# service httpd restart
Once the configuration is applied, the check will return 403 error:
[root@web1 ~]# nmap -p 443,80 --script http-methods localhost
PORT STATE SERVICE
80/tcp open http
|_http-methods: No Allow or Public header in OPTIONS response (status code 403)
443/tcp open https
|_http-methods: No Allow or Public header in OPTIONS response (status code 403)
HTTP methods description: Method Definitions