Skip to main content

How To disable "http" OPTIONS method in Apache.

Adam Saad
  • Updated

Introduction

 

To further ensure that your server is secure, you can find PCI reports recommending you disable "HTTP" redirects with your Apache configuration. You can do this by setting up direct redirect conditions that can be applied to Apache. 

 

Procedure

 

You can disable this by adding configuration options outside of the virtual hosts that exist. One recommended example you will find is shown below:

 

<Location />
    <LimitExcept GET POST>
        order deny,allow
        deny from all
    </LimitExcept>
</Location>

 

You would also be able to add:

 

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^OPTIONS
RewriteRule .* - [F]

 

Once you have selected either of these. You can then make sure to save either of these in your (httpd.conf) file. Here is how we recommend user's to update the "httpd.conf" file:

 

How to Edit the Apache Configuration File

 

To properly apply this method, you can do so by adding this to an Apache Include. You may also apply it to any (.htaccess) file with in your user home directory (i.e: /home/user/.htaccess). Additional articles can be found on how to set up Apache include configurations:


How to use Apache includes adding configuration directives to all virtualhosts severwide

 

This is based on the following documentation:

 


You will want to make sure you have you restart the HTTP server to take effect. You can do so by running this the following command via SSH:

 

 

# Perform a hard restart.

/scripts/restartsrv_httpd --restart --hard

 

 

You can use the Curl tool in SSH to confirm that these changes have set, and OPTIONS method is disabled. In the following example:

 

# curl -i -X OPTIONS http://IPADDRESS:PORT

HTTP/1.1 200 OK
Date: Thu, 08 Oct 2020 16:05:57 GMT
Server: Apache
Allow: OPTIONS,HEAD,GET,POST
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: 0
Content-Length: 0
Content-Type: text/html

 

We can see above that we received an (HTTP/1.1 200 OK), this would mean that the process was completed and accepted by Apache. That would mean that we have not yet disabled the option, and we need to make specific settings have been saved into the Apache configuration.

 

If the option is disabled, the results will be as follows:

 

# curl -i -X OPTIONS http://IPADDRESS:PORT

HTTP/1.1 403 Forbidden
Date: Thu, 08 Oct 2020 16:05:57 GMT
Server: Apache
Content-Length: 208
Content-Type: text/html; charset=UTF-8

 

For more details, you can reference Apache HTTP Server Version 2.4 Documentation: http://httpd.apache.org/docs/2.4/

Related articles

Comments

0 comments

Article is closed for comments.