How to disable HTTP methods in Apache

Disabling certain HTTP methods in Apache reduces the attack surface of a web server. Methods such as OPTIONS, TRACE, and HEAD can provide unnecessary information to attackers if they remain active. Restricting these methods helps maintain tighter security boundaries and prevents disclosure of sensitive server details.

In Apache, administrators can enable or disable HTTP methods through configuration files like apache2.conf or httpd.conf. Specifying only the methods required by legitimate traffic prevents unwanted requests and hardens the overall environment. This practice keeps the server focused on handling essential application traffic.

Although Apache may disable some risky methods by default, verifying and adjusting these settings is strongly recommended. Careful configuration of permitted methods safeguards against vulnerabilities linked to uncommon requests. Concentrating on essential methods while eliminating unneeded ones aligns with best practices for secure server administration.

Steps to disable HTTP methods in Apache:

Open the Apache configuration file using a text editor.

$ sudo vi /etc/apache2/sites-available/000-default.conf
Password:

Navigate to the <Directory> block that corresponds to your website’s document root or the location where you want to apply restrictions.
```
<Directory /var/www/html>
  Options Indexes FollowSymLinks
  AllowOverride None
  Require all granted
</Directory>
```
Add the LimitExcept directive within the <Directory> block to specify the allowed HTTP methods.
```
<Directory /var/www/html>
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
 
    <LimitExcept GET POST>
        Require all denied
    </LimitExcept>
 
</Directory>
```
Method not listed in the LimitExcept directive are denied, which in this case includes PUT and DELETE. Make sure that you only disable the methods not required by your web application, as some applications may need additional methods like PUT or DELETE.
Save the file and exit the text editor.

Restart Apache to apply the new configuration.

$ sudo systemctl restart apache2 # Ubuntu, Debian
$ sudo systemctl restart httpd # CentOS and Red Hat

Test your server to verify that the unwanted methods are disabled.

$ $ curl -X PUT http://127.0.0.1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>405 Method Not Allowed</title>
</head><body>
<h1>Method Not Allowed</h1>
<p>The requested method PUT is not allowed for this URL.</p>
<hr>
<address>Apache/2.4.55 (Ubuntu) Server at 127.0.0.1 Port 80</address>
</body></html>

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.

Discuss the article:

Comment anonymously. Login not required.