The HTTP methods are used to perform create, read, update, and delete (or CRUD) operations. The most common methods are POST, GET, PUT, PATCH, and DELETE. Its good practice to disable methods, which are unused and insecure like PUT, PATCH, and DELETE.
This tutorial explains, how to disable HTTP methods for an apache web server.
Disable HTTP Methods in Apache
Create a “.htaccess” file under the document root directory and add the following code. Make sure that the Apache rewrite module and .htaccess are enabled.
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(HEAD|PUT|DELETE|PATCH|TRACK|OPTIONS)
RewriteRule .* - [F]
The above configuration will disable HEAD, PUT, DELETE, PATCH, TRACK, and OPTIONS methods.
Next, restart the Apache webserver to apply changes.
sudo systemctl restart apache2
Verify Setup
You can verify changes using the curl command line utility. Let’s send a request from your system to verify that the server accepts specific header requests. For example, the below command will send an “OPTIONS” request to the server.
curl -i -X OPTIONS https://tecadmin.net
OutputHTTP/1.1 403 Forbidden Date: Thu, 30 Dec 2021 05:50:03 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 281 Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access this resource.</p> <hr> <address>Apache Server at tecadmin.net Port 443</address> </body></html>
You will see a forbidden message in the result. This means that the Apache server rejected the OPTIONS request.
Conclusion
Hopefully, this article will help you disable the HTTP methods for your Apache webserver.
1 Comment
Thanks, this helps me to secure WordPress site from malicious contents.