How to disable HTTP methods in Apache

Restricting unused HTTP methods in Apache reduces the attack surface and removes unexpected request paths that scanners and opportunistic clients probe. A tight method allowlist also helps keep application behavior predictable by limiting requests to the verbs the service actually supports.

In Apache, method-based control is implemented by scoping authorization rules to request verbs using containers such as <Limit> and <LimitExcept> within a relevant configuration context like <VirtualHost> or <Location>. An allowlist built with <LimitExcept> is the safer pattern because the enclosed access rules apply to every method not explicitly named, including nonstandard methods.

Method filtering is workload-specific: disabling OPTIONS can break browser CORS preflight, and APIs may legitimately use PUT, PATCH, or DELETE. The TRACE method is controlled separately using TraceEnable, so set it explicitly alongside the allowlist and validate syntax before reloading the service.

Steps to disable HTTP methods in Apache:

Open the site Apache virtual host configuration for editing.
```
$ sudo vi /etc/apache2/sites-available/000-default.conf
```
On Ubuntu or Debian, enabled site configs are typically linked from /etc/apache2/sites-enabled and often include a separate HTTPS vhost in /etc/apache2/sites-available/default-ssl.conf.

Locate the <VirtualHost> block that serves the site.

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html
 
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Set TraceEnable to off inside the same <VirtualHost>.

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html
 
    TraceEnable off
 
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

TraceEnable extended reflects request bodies for diagnostics and is not appropriate for production hardening.

Add a <Location> method allowlist using <LimitExcept>.

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html
 
    TraceEnable off
 
    <Location />
        <LimitExcept GET POST>
            Require all denied
        </LimitExcept>
    </Location>
 
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Methods not listed in <LimitExcept> are denied for this vhost, including common API verbs like PUT and DELETE.

GET also permits HEAD under <LimitExcept> rules, and method names are case-sensitive.

Write the updated configuration file to disk.
Validate the Apache configuration syntax.
```
$ sudo apache2ctl configtest
Syntax OK
```
Related: How to test your Apache configuration
Reload Apache to apply the changes.
```
$ sudo systemctl reload apache2
```
Related: How to manage the Apache web server service

Confirm the Apache service is active.

$ sudo systemctl status apache2
● apache2.service - The Apache HTTP Server
     Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
     Active: active (running) since Sat 2025-12-13 12:01:02 UTC; 8s ago
       Docs: https://httpd.apache.org/docs/2.4/
##### snipped #####

Verify that TRACE requests return 405.

$ curl -i -X TRACE http://127.0.0.1/
HTTP/1.1 405 Method Not Allowed
Date: Sat, 13 Dec 2025 12:01:18 GMT
Server: Apache/2.4.57 (Ubuntu)
Content-Length: 307
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>405 Method Not Allowed</title>
</head><body>
<h1>Method Not Allowed</h1>
<p>The requested method TRACE is not allowed for this URL.</p>
<hr>
<address>Apache/2.4.57 (Ubuntu) Server at 127.0.0.1 Port 80</address>
</body></html>

Verify that a non-allowlisted method is denied.

$ curl -i -X OPTIONS http://127.0.0.1/
HTTP/1.1 403 Forbidden
Date: Sat, 13 Dec 2025 12:01:22 GMT
Server: Apache/2.4.57 (Ubuntu)
Content-Length: 278
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>Access to this resource is denied.</p>
<hr>
<address>Apache/2.4.57 (Ubuntu) Server at 127.0.0.1 Port 80</address>
</body></html>

Blocking OPTIONS can break CORS preflight, so include OPTIONS in the allowlist when browser clients require it.

Verify that an allowlisted method still succeeds.

$ curl -I http://127.0.0.1/
HTTP/1.1 200 OK
Date: Sat, 13 Dec 2025 12:01:26 GMT
Server: Apache/2.4.57 (Ubuntu)
Content-Type: text/html

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.

Discuss the article:

Comment anonymously. Login not required.