Last updated on June 28th, 2024 at 06:18 am
Apache server supports a wide range of request types for all websites and apps that are running on it. They are all enabled by default. In most cases, we typically use GET and POST requests and don’t pay attention to the other types of requests. But it is important to disable insecure HTTP methods in Apache web server such as OPTIONS, HEAD, PUT, DELETE if your website does not need them. Otherwise they can lead to security vulnerabilities. In this article, we will look at how to disable HTTP OPTIONS methods in Apache. You can also use these steps to disable HEAD, PUT, DELETE methods.
What is HTTP Options Methods
HTTP Options is a specific type of HTTP request generally sent by client web browsers to web servers before making an actual request. It enables browsers to get information about specific server resources without actually requesting it. For example, if a browser wants to make a cross-origin request (CORS) to a web server, it needs to send a pre-flight request, that is, an HTTP options request to check if CORS is enabled on web server or not. Generally, it is used to get permission from web server of another domain, before making requests to it.
Why Disable HTTP Options Methods
In many cases, attackers can use HTTP Options methods to get information about permitted request types on your Apache server and exploit their vulnerabilities. In some cases, keeping it enabled can even expose internal server configuration details and open your server to attacks. That is why it is recommended to disable HTTP options method on your server, if you do not need it.
How To Disable HTTP Options Methods in Apache
Here are the steps to disable HTTP OPTIONS methods in Apache web server. There are two ways to solve this problem – using Apache configuration file and using .htaccess file. We will learn each of these methods one by one.
Before we proceed, you can easily determine if OPTIONS is enabled on your website using the following curl command.
$ curl –i –X OPTIONS https://your_ip_or_domain
HTTP/1.1 200 OK
Date: Mon, 08 Oct 2018 15:14:23 GMT
Server: Apache
Allow: OPTIONS,POST,GET,HEAD
Content-Length: 0
Content-Type: text/html
1. Using Apache Configuration File
In this approach, we modify Apache configuration file to directly block OPTIONS requests.
1. Backup Apache Configuration File
First step is to take a backup of Apache configuration file. It is generally located at any of the following locations, depending on your system and type of installation.
- /etc/apache2/httpd.conf
- /etc/apache2/apache2.conf
- /etc/httpd/httpd.conf
- /etc/httpd/conf/httpd.conf
Run the following command to open it in text editor.
$ sudo vi /etc/apache2/httpd.conf
2. Disable OPTIONS
Add the following code to your configuration file.
<Location />
<LimitExcept GET POST>
order deny,allow
deny from all
</LimitExcept>
</Location>
Alternatively, you can also add the following code snippet.
<Directory />
AllowOverride none
Require all denied
<Limit OPTIONS>
Order deny,allow
Deny from all
</Limit>
</Directory>
Both the above code blocks disable OPTIONS and allow only GET & POST requests.
3. Restart Apache Web Server
Restart Apache web server to apply changes.
$ sudo service apache2 restart
2. Using .htaccess File
Often web administrators do not have access to Apache configuration file, or do not want to modify it. In such cases, you can try disabling OPTIONS via .htaccess file. In this solution, we will need to enable mod_rewrite module in Apache to disable HTTP methods.
1. Open htaccess file
Before proceeding, please enable mod_rewrite (.htaccess) in your Apache web server.
Open .htaccess file, typically located at /var/www/html/.htaccess
$ sudo vi /var/www/html/.htaccess
2. Disable HTTP OPTIONS methods
Add the following lines to your .htaccess file to disable OPTIONS, TRACE and TRACK methods.
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)
RewriteRule .* - [F]
In the above code, the first line tells Apache to enable mod_rewrite. The second line matches the request method with OPTIONS, TRACE and TRACK methods. The third line forbids access to all such matching methods.
So, to summarize, Apache forbids access to all requests whose HTTP method is OPTIONS, TRACE or TRACK.
Similarly, you can disable HEAD, PUT, DELETE methods by adding/replacing
TRACE|TRACK|OPTIONS
with other HTTP methods. Here is the configuration to disable HEAD, PUT, DELETE methods.
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(HEAD|PUT|DELETE)
RewriteRule .* - [F]
3. Restart Apache Web Server
Restart Apache web server to apply changes.
$ sudo service apache2 restart
Verify Changes
If you run curl command once again, this time the response will not contain OPTIONS. In some cases, the Allow response header itself may not be visible.
$ curl –i –X OPTIONS https://your_ip_or_domain
HTTP/1.1 200 OK
Date: Mon, 08 Oct 2018 15:14:23 GMT
Server: Apache
Allow: POST,GET
Content-Length: 0
Content-Type: text/html
Conclusion
Hopefully, this article will help you disable HTTP OPTIONS method for your Apache web server. By default, all web servers allow all kinds of requests. But it is important to disable unnecessary request types on your website. Otherwise, attackers will use this doorway to sneak into your server, siphon off important information and use it exploits site vulnerabilities.
Ubiq makes it easy to visualize data in minutes, and monitor in real-time dashboards. Try it Today!
Also Read :
How to Set Default Character Set to UTF8 in Apache
How to Change Default Timezone
How to Enable mod_rewrite in XAMPP, WAMP
Sreeram Sreenivasan is the Founder of Ubiq. He has helped many Fortune 500 companies in the areas of BI & software development.