About OPTIONS method

OPTIONS is a diagnostic method which is mainly used for debugging purpose. This HTTP method basically reports which HTTP Methods that are allowed on the web server. In reality, this is rarely used for legitimate purposes, but it does grant a potential attacker a little bit of help and it can be considered a shortcut to find another hole.

How to fix it

OPTIONS method should be disabled.

Way to do it

Methods to disable OPTION method may vary depending upon the type, version of the web server.

IIS (For new versions)

In IIS, This can be done by denying the OPTIONS verb from the HTTP Verb Request Filtering rules in IIS.

  • Open IIS Manager.
  • Select the name of the machine to configure this globally (or change to the specific web site for which you need to configure this).
  • Double click on "Request Filtering".
  • Change to the HTTP Verbs tab.
  • From the Actions pane, select "Deny Verb".
  • Insert 'OPTIONS' in the Verb, and press OK to save changes.

IIS (For old versions)