How to disable HTTP methods in Apache

Disabling certain HTTP methods in Apache is an important security measure. Unused methods like OPTIONS, TRACE, and HEAD can be exploited if left enabled. These methods are often unnecessary for most web applications and should be disabled to minimize security risks.

In Apache, you can control which HTTP methods are allowed through configuration files. By specifying which methods are needed, you can block potentially harmful requests. This ensures that your web server only responds to the methods essential for your application’s functionality.

Even though Apache might disable some risky methods by default, it's crucial to review and adjust these settings. This step helps prevent unauthorized access and strengthens your web server’s security.

Steps to disable HTTP methods in Apache:

Open the Apache configuration file using a text editor.

$ sudo vi /etc/apache2/sites-available/000-default.conf
Password:

Navigate to the <Directory> block that corresponds to your website’s document root or the location where you want to apply restrictions.
```
<Directory /var/www/html>
  Options Indexes FollowSymLinks
  AllowOverride None
  Require all granted
</Directory>
```
Add the LimitExcept directive within the <Directory> block to specify the allowed HTTP methods.
```
<Directory /var/www/html>
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
 
    <LimitExcept GET POST>
        Require all denied
    </LimitExcept>
 
</Directory>
```
Method not listed in the LimitExcept directive are denied, which in this case includes PUT and DELETE. Make sure that you only disable the methods not required by your web application, as some applications may need additional methods like PUT or DELETE.
Save the file and exit the text editor.

Restart Apache to apply the new configuration.

$ sudo systemctl restart apache2 # Ubuntu, Debian
$ sudo systemctl restart httpd # CentOS and Red Hat

Test your server to verify that the unwanted methods are disabled.

$ $ curl -X PUT http://127.0.0.1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>405 Method Not Allowed</title>
</head><body>
<h1>Method Not Allowed</h1>
<p>The requested method PUT is not allowed for this URL.</p>
<hr>
<address>Apache/2.4.55 (Ubuntu) Server at 127.0.0.1 Port 80</address>
</body></html>

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is an experienced cloud architect with a strong development and open-source advocacy background. He boasts multiple certifications in AWS, Red Hat, VMware, ITIL, and Linux, underscoring his expertise in cloud architecture and system administration.

Discuss the article:

Comment anonymously. Login not required.