Disabling HTTP Methods

HTTP defines a set of request methods to indicate the desired action to be performed for a given resource, such as OPTIONS, TRACE, TRACK, etc.

OPTIONS are analytical protocols commonly utilized to repair and clear up web servers. However, most frequently, they serve as cracks that let attackers have an easy way to launch an attack.

Also problematic is the TRACE or TRACK method, which may introduce a Cross-Site Tracing vulnerability.

It is thus recommended to disable the OPTIONS|TRACE|TRACK methods, thereby blocking possible malicious access.

You can use rewrite rules to do so:

RewriteCond %{REQUEST_METHOD} ^(OPTIONS|TRACE|TRACK)
RewriteRule .* - [F]

Add the above rule to the domain's document root .htaccess. If you use a control panel and want to disable OPTIONS|TRACE|TRACK methods for all virtual hosts, you can add the same lines to the virtual host include files. Please refer to the control panel's documentation to learn how to add/modify such include files for all virtual hosts.

  • Admin
  • Last modified: 2019/04/24 15:43
  • by Lisa Clarke