Details
Use the Apache
Rationale:
The HTTP 1.1 protocol supports several request methods which are rarely used and potentially high risk. For example, methods such as PUT and DELETE are rarely used and should be disabled in keeping with the primary security principal of minimize features and options. Also since the usage of these methods is typically to modify resources on the web server, they should be explicitly disallowed. For normal web server operation, you will typically need to allow only the GET, HEAD and POST request methods. This will allow for downloading of web pages and submitting information to web forms. The OPTIONS request method will also be allowed as it used to request which HTTP request methods are allowed. Unfortunately, the Apache
Solution
Perform the following to implement the recommended state:
Locate the Apache configuration files and included configuration files.
Search for the directive on the document root directory such as:
. . .
Add a directive as shown below within the group of document root directives.
# Limit HTTP methods to standard methods. Note: Does not limit TRACE
Require all denied
Search for other directives in the Apache configuration files other than the OS root directory and add the same directives to each. It is very important to understand that the directives are based on the OS file system hierarchy as accessed by Apache and not the hierarchy of the locations within web site URLs.
. . .
# Limit HTTP methods
Require all denied
Default Value:
No Limits on HTTP methods.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Information Integrity.This control applies to the following type of system Unix.