HTTP methods or verbs, such as GET, POST, PUT, DELETE, and others, define the type of action to be performed on a resource. While some of these methods are essential for most web applications, others may not be needed and could pose a security risk if not handled appropriately. For instance, the TRACE method can be used in cross-site tracing attacks if not disabled.
In the Apache web server, it's possible to allow or deny specific HTTP methods using configurations in either the global server config or within specific directory blocks. This way, you can restrict unnecessary methods from being exploited by potential attackers.
While Apache by default might have most potentially risky methods disabled or not implemented, ensuring that only the methods you specifically need are enabled is a good security practice.
$ sudo vi /etc/apache2/sites-available/000-default.conf Password:
<Directory /var/www/html> Options Indexes FollowSymLinks AllowOverride None Require all granted </Directory>
<Directory /var/www/html> Options Indexes FollowSymLinks AllowOverride None Require all granted <LimitExcept GET POST> Require all denied </LimitExcept> </Directory>
Method not listed in the LimitExcept directive are denied, which in this case includes PUT and DELETE. Make sure that you only disable the methods not required by your web application, as some applications may need additional methods like PUT or DELETE.
$ sudo systemctl restart apache2 # Ubuntu, Debian $ sudo systemctl restart httpd # CentOS and Red Hat
$ $ curl -X PUT http://127.0.0.1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>405 Method Not Allowed</title> </head><body> <h1>Method Not Allowed</h1> <p>The requested method PUT is not allowed for this URL.</p> <hr> <address>Apache/2.4.55 (Ubuntu) Server at 127.0.0.1 Port 80</address> </body></html>
Comment anonymously. Login not required.