The HTTP 1.1 protocol supports many request methods. Not all of these may be required for your site, and may in fact add a potential risk.
A default Apache configuration supports OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT method in HTTP 1.1 protocol.
However, typically most web applications only need GET, HEAD, POST request methods.
Disable all HTTP request methods except for GET, HEAD, POST.
Edit your Apache configuration file
/etc/apache2/httpd.conf and add the following in the respective Directory directive
<Directory /> <LimitExcept GET POST HEAD> deny from all </LimitExcept> </Directory>
[root@nowherelan]# systemctl reload httpd.service
Verify that your web application still functions properly after disabling these request methods.
Use the online Request Method Security Scanner to remotely check your site for which HTTP request methods are allowed.
My System Configuration
- CentOS 7
- Apache 2.4