How to disable HTTP methods in Apache
HTTP methods or verbs, such as GET, POST, PUT, DELETE, and others, define the type of action to be performed on a resource. While some of these methods are essential for most web applications, others may not be needed and could pose a security risk if not handled appropriately. For instance, the TRACE method can be used in cross-site tracing attacks if not disabled.
In the Apache web server, it's possible to allow or deny specific HTTP methods using configurations in either the global server config or within specific directory blocks. This way, you can restrict unnecessary methods from being exploited by potential attackers.
While Apache by default might have most potentially risky methods disabled or not implemented, ensuring that only the methods you specifically need are enabled is a good security practice.
Steps to disable HTTP methods in Apache:
-
Open the Apache configuration file using a text editor of your choice.
$ sudo vi /etc/apache2/sites-available/000-default.conf Password:
-
Go to the <Directory> block that matches your website's document root or the location where you want to apply the restrictions.
<Directory /var/www/html> Options Indexes FollowSymLinks AllowOverride None Require all granted </Directory>
-
Add the LimitExcept directive within the Directory block to specify which HTTP methods are allowed.
<Directory /var/www/html> Options Indexes FollowSymLinks AllowOverride None Require all granted <LimitExcept GET POST> Require all denied </LimitExcept> </Directory>
Method not listed in the LimitExcept directive are denied, which in this case includes PUT and DELETE. Make sure that you only disable the methods not required by your web application, as some applications may need additional methods like PUT or DELETE.
-
Save the file and exit the text editor.
-
Restart Apache to apply the changes.
$ sudo systemctl restart apache2 # Ubuntu, Debian $ sudo systemctl restart httpd # CentOS and Red Hat
-
Test your server's behavior using tools like curl to ensure undesired methods are indeed disabled.
$ $ curl -X PUT http://127.0.0.1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>405 Method Not Allowed</title> </head><body> <h1>Method Not Allowed</h1> <p>The requested method PUT is not allowed for this URL.</p> <hr> <address>Apache/2.4.55 (Ubuntu) Server at 127.0.0.1 Port 80</address> </body></html>