Article ID: 127829, created on Dec 23, 2015, last review on Dec 23, 2015

  • Applies to:
  • Operations Automation

Question

HTTP OPTIONS method is enabled on NG Web servers by default, how to disable it?

The following nmap check reveals the method is enabled:

[root@web1 ~]# nmap -p 443,80 --script http-methods localhost

80/tcp  open  http
|_http-methods: GET HEAD POST OPTIONS
443/tcp open  https
|_http-methods: GET HEAD POST OPTIONS

Resolution

In order to disable the OPTIONS and any other HTTP method, alter /etc/httpd/conf.d/ng_custom.conf configuration file and add the following section:

<Location />
<LimitExcept GET POST>
order deny,allow
deny from all
</LimitExcept>
</Location>

This configuration allows only GET and POST methods on the web server.

Restart Apache afterwards:

# service httpd restart

Once the configuration is applied, the check will return 403 error:

[root@web1 ~]# nmap -p 443,80 --script http-methods localhost

PORT    STATE SERVICE
80/tcp  open  http
|_http-methods: No Allow or Public header in OPTIONS response (status code 403)
443/tcp open  https
|_http-methods: No Allow or Public header in OPTIONS response (status code 403)

HTTP methods description: Method Definitions

Search Words

disable

http method

options

5356b422f65bdad1c3e9edca5d74a1ae caea8340e2d186a540518d08602aa065 e12cea1d47a3125d335d68e6d4e15e07

Email subscription for changes to this article
Save as PDF