How to disable Apache HTTP OPTIONS method

0
5609

OPTIONS is not really vulnerability but since there is no real use for it and ideally should be disabled.

Hope you have already disabled the TRACE Method on your Apache configuration with either of below ways,

TraceEnable off

OR

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* – [F]

(Make sure have mod_rewrite module enabled to do this).

And you might have tried to disable the OPTIONS method by using RewriteCondition like below,

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|OPTIONS)
RewriteRule .* – [F]

If you would have noticed that above is not disabling the OPTIONS method and it actually disable only the TRACE method. We can do the telnet to verify the same,

# telnet 127.0.0.1 80
Trying 127.0.0.1…
Connected to 127.0.0.1.
Escape character is ‘^]’.
OPTIONS / HTTP/1.1
Host: 127.0.0.1   ==> hit enter twice

If you get below output with http 200 status code, that means the OPTIONS method is still enabled.

Allow: GET, HEAD, POST, OPTIONS

Please refer my other post for checking https(443) website https://sureshk37.wordpress.com/2014/05/04/how-to-test-the-available-http-method-for-a-web-instanceurl/