OPTIONS is a diagnostic method which is mainly used for debugging purpose. This HTTP method basically reports which HTTP Methods that are allowed on the web server. In reality, this is rarely used for legitimate purposes, but it does grant a potential attacker a little bit of help and it can be considered a shortcut to find another hole.
OPTIONS method should be disabled.
Methods to disable OPTION method may vary depending upon the type, version of the web server.
IIS (For new versions)
In IIS, This can be done by denying the OPTIONS verb from the HTTP Verb Request Filtering rules in IIS.
IIS (For old versions)
In IIS, This can be done by denying the OPTIONS verb from the HTTP Verb Request Filtering rules in IIS.
Apache
The traditional way to disable specific HTTP Methods in the Apache web server is with the use of mod rewrite. mod rewrite is a rules-based, rewriting engine that can be loaded in the standard apache configuration file or as part of an .htaccess file. There are a minimum of four components to a mod_rewrite rule; the directive that loads the module, the directive that turns the rewrite engine on, a rewrite condition, and a rewrite rule.
Steps:
Search your apache configuration file(s) for mod_rewrite.so. If it is not found, add the following line to your apache configuration file (typically known as httpd.conf):
LoadModule rewrite_module /usr/lib/apache2/modules/mod_rewrite.so
To enable rewrite engine,
RewriteEngine On
To disable option,
RewriteCond %{REQUEST_METHOD} ^OPTIONS
RewriteRule .* - [F]
i.e.,
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^OPTIONS
RewriteRule .* - [F]
Flags are set i.e. [F] for forbidden request, [R] for redirecting the page, likewise.
Note:
by default, rewrite configurations are not inherited across virtual servers. Add RewriteEngine On to each virtual host.Tomcat
In Apache Tomcat, security is enforced by way of security constraints that are built into the Java Servlet specification. These are not contained within the main server.xml file within tomcat but within the web.xml configuration file.NGINX
Disable OPTIONS method in NGINX
To disable the OPTIONS method in Nginx add the following config:
It is suggested to disable any HTTP methods which are not going to be utilized and which are not required to be implemented on the web server. The below condition, which is added under the ?server? section in the Nginx configuration file will disable OPTIONS method:
if ($request_method ~ ^(OPTIONS)$ )
{
return 403;
}
The result can be tested with curl:
curl -X OPTIONS https://domain.com