Disabling HEAD, OPTIONS HTTP METHODS in Apache Webserver
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Disabling HEAD, OPTIONS HTTP METHODS in Apache Webserver
Dear All,
We are facing some challenges to disable unnecessary http methods i.e. HEAD, OPTIONS, TRACE, DELETE with Apache Webserver, we are using version Apache/2.2.3,
Trace we have disabled using TraceEnable off.
We tried with
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]
RewriteRule .* - [F]
But not able to disable using above rewrite rule. Can anyone suggest on this issue.
We successfully disabled PUT,DELETE,TRACE,OPTIONS using
<LimitExcept GET POST>
deny from all
</LimitExcept>
But using above configuration HEAD request is still allowed on web server.
As GET - HEAD both are almost same. But client insisting us to disable HEAD also.
We tried to disable using
<LimitExcept GET POST>
deny from all
</LimitExcept>
<Limit HEAD>
deny from all
</Limit>
But it blocked GET,POST also.
Can you please suggest some solution to restrict only HEAD.
Distribution: approximately NixOS (http://nixos.org)
Posts: 1,900
Rep:
Read the documentation I referenced once again..
Quote:
Originally Posted by Apache HTTPD documentation
The method names listed can be one or more of: GET, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, and UNLOCK. The method name is case-sensitive. If GET is used it will also restrict HEAD requests. The TRACE method cannot be limited.
So GET = HEAD from Apache point of view here, so there is no way to filter the request.
Just in case: Nginx also thinks that for limit_except GET includes HEAD. Lighttpd seems not to have per-method configuration. You could try redirect to different URLs using request_method value and then one of them would return 403. The other way is to educate customers, which can be even more perverse task..
**************************************************************************************************** ********************
Description: How to disable the HTTP TRACE method on recent apache versions.
Most vulnerability scanners (like the popular nessus, but commercial ones also) will complain (normally as a low thread or warning level) about TRACE method being enabled on the web server tested.
Normally you will have this enabled by default, but if you want to test if it is really enabled on your server you just have to telnet on the port your web server is running and request for “TRACE / HTTP/1.0” if you get a positive reply it means TRACE is enabled on your system. The output of a server with TRACE enabled will look like:
telnet 127.0.0.1 80
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
TRACE / HTTP/1.0
Host: foo
Any text entered here will be echoed back in the response <- ENTER twice to finish
HTTP/1.1 200 OK
Date: Sat, 20 Oct 2007 20:39:36 GMT
Server: Apache/2.2.6 (Debian) PHP/4.4.4-9 mod_ruby/1.2.6 Ruby/1.8.6(2007-06-07)
Connection: close
Content-Type: message/http
TRACE / HTTP/1.0
Host: foo
Any text entered here will be echoed back in the response
Connection closed by foreign host.
Traditionally experts will suggest to disable this using some rewrite rules like:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
(this needs to be added somewhere in your main apache config file outside of any vhost or directory config).
Still this has the disadvantage that you need to have mod_rewrite enabled on the server just to mention one. But for apache versions newer than 1.3.34 for the legacy branch, and 2.0.55 (or newer) for apache2 this can be done very easily because there is a new apache variable that controls if TRACE method is enabled or not:
TraceEnable off
This needs to be added in the main server config and the default is enabled (on). TraceEnable off causes apache to return a 403 FORBIDDEN error to the client.
After setting this and reloading the apache config the same server as above shows:
telnet 127.0.0.1 80
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
TRACE / HTTP/1.0
Host: foo
testing... <- ENTER twice
<!DOCTYPE HTML(link) PUBLIC "-//IETF//DTD HTML(link) 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /
on this server.</p>
<hr>
<address>Apache/2.2.6 (Debian) PHP/4.4.4-9 mod_ruby/1.2.6 Ruby/1.8.6(2007-06-07) Server at foo Port 80</address>
</body></html>
Connection closed by foreign host.
We successfully disabled PUT,DELETE,TRACE,OPTIONS using
<LimitExcept GET POST>
deny from all
</LimitExcept>
But using above configuration HEAD request is still allowed on web server.
As GET - HEAD both are almost same. But client insisting us to disable HEAD also.
We tried to disable using
<LimitExcept GET POST>
deny from all
</LimitExcept>
<Limit HEAD>
deny from all
</Limit>
But it blocked GET,POST also.
Can you please suggest some solution to restrict only HEAD.
I want to block httpd method except GET and POST please give me solution i am using apache httpd VirtualHost
This is a 9 year old thread and you have asked this question in another thread already. Posting multiple threads of the same subject isn't going to get your question answered any faster...
I want to block httpd method except GET and POST please give me solution i am using apache httpd VirtualHost
Have you read the posts in this thread??? Have you read the LQ Rules about duplicate postings, and not re-opening old threads, or hijacking them with your own questions???
The solution is describe here in this thread and in the Apache docs.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.