httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Toomas Aas <toomas....@reach-u.com>
Subject [users@httpd] Block access to "OPTIONS *"
Date Thu, 11 Feb 2016 21:56:22 GMT
Hello!

An external party performed "security scan" against our web server which 
is running version 2.2.29. One of the findings is that OPTIONS directive 
is not blocked and I am tasked with fixing this.

Google turns out two popular approaches:

Approach 1:
-------------------------------------
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule .* - [R=405,L]
-------------------------------------

Approach 2:
--------------------
<Location />
<Limit OPTIONS>
         Order allow,deny
         Deny from all
</Limit>
</Location>
--------------------

I have tried them both, and they nicely block requests such as "OPTIONS 
/" or "OPTIONS /whatever". However, the security scan software performs 
request "OPTIONS *". To that, Apache still responds with error code 200.

It is obvious why this happens with second method, so I tried 
<LocationMatch .*> instead of <Location />. No difference.

How can I block requests to "OPTIONS *" so that response would be 
something with 4xx error?

-- 
Toomas Aas | support engineer
www.reach-u.com

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message