Objective

The HTTP 1.1 protocol supports many request methods. Not all of these may be required for your site, and may in fact add a potential risk.

A default Apache configuration supports OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT method in HTTP 1.1 protocol.

However, typically most web applications only need GET, HEAD, POST request methods.

Solution

Disable all HTTP request methods except for GET, HEAD, POST.

Edit your Apache configuration file/etc/apache2/httpd.conf and add the following in the respective Directory directive

<Directory />
    <LimitExcept GET POST HEAD>
        deny from all
    </LimitExcept>
</Directory>

Reload Apache

[root@nowherelan]# systemctl reload httpd.service

Verify that your web application still functions properly after disabling these request methods.

Use the online Request Method Security Scanner to remotely check your site for which HTTP request methods are allowed.

My System Configuration

• CentOS 7
• Apache 2.4

References

• https://geekflare.com/apache-web-server-hardening-security/
• https://www.askapache.com/online-tools/request-method-scanner/
• https://security.stackexchange.com/questions/70561/how-to-identify-the-http-methods-supported-by-a-web-server