Disabling HEAD, OPTIONS HTTP METHODS in Apache Webserver
 

Dear All,

We are facing some challenges to disable unnecessary http methods i.e. HEAD, OPTIONS, TRACE, DELETE with Apache Webserver, we are using version Apache/2.2.3,

Trace we have disabled using TraceEnable off.

We tried with
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]
RewriteRule .* - [F]

But not able to disable using above rewrite rule. Can anyone suggest on this issue.


Thanks

http://httpd.apache.org/docs/2.2/mod/core.html#limit

I am not quite sure why would you want to forbid HEAD, though.. If you can be attacked via HEAD, the same attack will get you via GET.

Thanks raskin for your support.

We successfully disabled PUT,DELETE,TRACE,OPTIONS using

<LimitExcept GET POST>
deny from all
</LimitExcept>

But using above configuration HEAD request is still allowed on web server.
As GET - HEAD both are almost same. But client insisting us to disable HEAD also.

We tried to disable using

<LimitExcept GET POST>
deny from all
</LimitExcept>


<Limit HEAD>
deny from all
</Limit>

But it blocked GET,POST also.

Can you please suggest some solution to restrict only HEAD.

Read the documentation I referenced once again..

So GET = HEAD from Apache point of view here, so there is no way to filter the request.

Just in case: Nginx also thinks that for limit_except GET includes HEAD. Lighttpd seems not to have per-method configuration. You could try redirect to different URLs using request_method value and then one of them would return 403. The other way is to educate customers, which can be even more perverse task..

Please find the required answer below:

**************************************************************************************************** ********************
Description: How to disable the HTTP TRACE method on recent apache versions.

Most vulnerability scanners (like the popular nessus, but commercial ones also) will complain (normally as a low thread or warning level) about TRACE method being enabled on the web server tested.

Normally you will have this enabled by default, but if you want to test if it is really enabled on your server you just have to telnet on the port your web server is running and request for “TRACE / HTTP/1.0” if you get a positive reply it means TRACE is enabled on your system. The output of a server with TRACE enabled will look like:

telnet 127.0.0.1 80
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
TRACE / HTTP/1.0
Host: foo
Any text entered here will be echoed back in the response <- ENTER twice to finish

HTTP/1.1 200 OK
Date: Sat, 20 Oct 2007 20:39:36 GMT
Server: Apache/2.2.6 (Debian) PHP/4.4.4-9 mod_ruby/1.2.6 Ruby/1.8.6(2007-06-07)
Connection: close
Content-Type: message/http

TRACE / HTTP/1.0
Host: foo
Any text entered here will be echoed back in the response

Connection closed by foreign host.

Traditionally experts will suggest to disable this using some rewrite rules like:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
(this needs to be added somewhere in your main apache config file outside of any vhost or directory config).

Still this has the disadvantage that you need to have mod_rewrite enabled on the server just to mention one. But for apache versions newer than 1.3.34 for the legacy branch, and 2.0.55 (or newer) for apache2 this can be done very easily because there is a new apache variable that controls if TRACE method is enabled or not:
TraceEnable off
This needs to be added in the main server config and the default is enabled (on). TraceEnable off causes apache to return a 403 FORBIDDEN error to the client.

After setting this and reloading the apache config the same server as above shows:

telnet 127.0.0.1 80
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
TRACE / HTTP/1.0
Host: foo
testing... <- ENTER twice

HTTP/1.1 403 Forbidden
Date: Sat, 20 Oct 2007 20:38:31 GMT
Server: Apache/2.2.6 (Debian) PHP/4.4.4-9 mod_ruby/1.2.6 Ruby/1.8.6(2007-06-07)
Content-Length: 320
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML(link) PUBLIC "-//IETF//DTD HTML(link) 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /
on this server.</p>
<hr>
<address>Apache/2.2.6 (Debian) PHP/4.4.4-9 mod_ruby/1.2.6 Ruby/1.8.6(2007-06-07) Server at foo Port 80</address>
</body></html>
Connection closed by foreign host.

**************************************************************************************************** ********************

Don't forget to restart the service after changes has been made to the configuration file and test the same locally.

This is an old thread, but it still ranks 1st on Google for 'apache disable head request'


Here is the recipe to allow only GET and POST and disable HTTP/1.0. It also disables proxy requests.
It uses Apache internal variable THE_REQUEST:

I want to block httpd method except GET and POST please give me solution i am using apache httpd VirtualHost

This is a 9 year old thread and you have asked this question in another thread already. Posting multiple threads of the same subject isn't going to get your question answered any faster...

Have you read the posts in this thread??? Have you read the LQ Rules about duplicate postings, and not re-opening old threads, or hijacking them with your own questions???

The solution is describe here in this thread and in the Apache docs.