Introduction
To further ensure that your server is secure, you can find PCI reports recommending you disable "HTTP" redirects with your Apache configuration. You can do this by setting up direct redirect conditions that can be applied to Apache.
Procedure
You can disable this by adding configuration options outside of the virtual hosts that exist. One recommended example you will find is shown below:
<Location />
<LimitExcept GET POST>
order deny,allow
deny from all
</LimitExcept>
</Location>
You would also be able to add:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^OPTIONS
RewriteRule .* - [F]
Once you have selected either of these. You can then make sure to save either of these in your (httpd.conf) file. Here is how we recommend user's to update the "httpd.conf" file:
How to Edit the Apache Configuration File
To properly apply this method, you can do so by adding this to an Apache Include. You may also apply it to any (.htaccess) file with in your user home directory (i.e: /home/user/.htaccess). Additional articles can be found on how to set up Apache include configurations:
How to use Apache includes adding configuration directives to all virtualhosts severwide
This is based on the following documentation:
You will want to make sure you have you restart the HTTP server to take effect. You can do so by running this the following command via SSH:
# Perform a hard restart.
/scripts/restartsrv_httpd --restart --hard
You can use the Curl tool in SSH to confirm that these changes have set, and OPTIONS method is disabled. In the following example:
# curl -i -X OPTIONS http://IPADDRESS:PORT
HTTP/1.1 200 OK
Date: Thu, 08 Oct 2020 16:05:57 GMT
Server: Apache
Allow: OPTIONS,HEAD,GET,POST
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: 0
Content-Length: 0
Content-Type: text/html
We can see above that we received an (HTTP/1.1 200 OK), this would mean that the process was completed and accepted by Apache. That would mean that we have not yet disabled the option, and we need to make specific settings have been saved into the Apache configuration.
If the option is disabled, the results will be as follows:
# curl -i -X OPTIONS http://IPADDRESS:PORT
HTTP/1.1 403 Forbidden
Date: Thu, 08 Oct 2020 16:05:57 GMT
Server: Apache
Content-Length: 208
Content-Type: text/html; charset=UTF-8
For more details, you can reference Apache HTTP Server Version 2.4 Documentation: http://httpd.apache.org/docs/2.4/