i have this issue with web application inspection software. the recommendation was to disable OPTION METHODS
on the webserver.
upon research. i have included this snippet on my httpd.conf
then restarted the server.
LoadModule rewrite_module /usr/lib/apache2/modules/mod_rewrite.so
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)
RewriteRule .* - [F]
how can i verify if the code is implemented and will block all OPTIONS request?
i have tried this
curl --request OPTIONS http://10.1.1.1/mysite
but all i get is 301 Moved Permantently
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://10.1.1.1/mysite">here</a>.</p>
<hr>
<address>Apache/2.2.22 (Ubuntu) Server at 10.1.1.1 Port 80</address>
</body></html>
Best Answer
Rather than using mod_rewrite, you should be able to disable arbitrary methods using the Limit or LimitExcept directives which are designed to to just what you want.
You can test using nc or telnet to talk directly to the httpd process