Apache, being a widely used web server, offers flexibility in configuring and securing web services. One effective measure to secure an Apache server is by disabling HTTP methods that are unnecessary or pose security risks. The process involves modifying server configuration, specifically through the use of the .htaccess file. Before proceeding, ensure that both the Apache rewrite module and the .htaccess file functionality are enabled on your server. This is crucial for the rewrite rules to be recognized and applied.
This comprehensive guide delves into the process of disabling unwanted HTTP methods on an Apache web server, enhancing its security posture.
Disabling HTTP Methods in Apache
Create a “.htaccess” file under the document root directory and add the following code. Make sure that the Apache rewrite module and .htaccess are enabled.
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(HEAD|PUT|DELETE|PATCH|TRACK|OPTIONS)
RewriteRule .* - [F]
These lines instruct the Apache server to block HTTP requests using the HEAD, PUT, DELETE, PATCH, TRACK, and OPTIONS methods. The [F] flag results in a 403 Forbidden response to any requests using these methods, effectively disabling them.
Next, restart the Apache webserver to apply changes.
sudo systemctl restart apache2
Verify Setup
To ensure that the unwanted HTTP methods have been successfully disabled, you can use the curl command-line utility to send requests to the server. For instance, to check if the OPTIONS method is disabled, execute:
curl -i -X OPTIONS https://yourdomain.net
A successful configuration will result in a 403 Forbidden response, indicating that the server correctly rejects requests using the specified method.
OutputHTTP/1.1 403 Forbidden Date: Thu, 30 Dec 2021 05:50:03 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 281 Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access this resource.</p> <hr> <address>Apache Server at tecadmin.net Port 443</address> </body></html>
This response confirms that the Apache server is properly configured to deny access via the disabled HTTP methods, thereby enhancing its security against certain types of web attacks.
Conclusion
Securing an Apache web server by disabling unnecessary or insecure HTTP methods is a crucial step in hardening its security. This guide provides a detailed walkthrough for configuring your Apache server to reject requests using specific methods, protecting it from potential threats. By carefully managing the allowed HTTP methods, administrators can ensure a safer web environment for their users and data.
1 Comment
Thanks, this helps me to secure WordPress site from malicious contents.