The OPTIONS method is primarily used for diagnostic and debugging purposes; it essentially reports which HTTP methods are allowed on the web server. However, there is a possibility that it could enable an attacker to perform malicious actions or gain knowledge about the system.
The HTTP OPTIONS method should be disabled.
Methods to disable OPTION method may vary depending upon the type and version of the web server.
In IIS, this can be done by denying the OPTIONS verb from the HTTP Verb Request Filtering rules in IIS.
In IIS, this can be done by denying the OPTIONS verb from the HTTP Verb Request Filtering rules in IIS.
To disable the OPTION Method in the Apache web server, you can use the “mod_rewrite” module. This module is a rules-based, rewriting engine that can be incorporated into the standard Apache configuration file or as part of an “.htaccess file”. Each mod_rewrite rule consists of four main components: the directive to load the module, the directive to activate the rewrite engine, a rewrite condition, and a rewrite rule.
Before creating an “.htaccess” file under the document root directory and adding the code, make sure that the Apache rewrite module and .htaccess are enabled.
Search your apache configuration file(s) for mod_rewrite.so. If it is not found, you need to add 3 lines one below the other in your apache configuration file (typically known as httpd.conf). Assuming you are using a Windows server, the Apache configuration file is typically located at C:\Program Files\Apache\conf\httpd.conf
To rewrite the engine-
To disable the engine-
To disable the HTTP requests-
( [F] flag results in a 403 Forbidden response to any requests using the OPTION method, effectively disabling them.)
Note: By default, Rewrite configurations are not inherited across virtual servers. Add “RewriteEngine On” to each virtual host.
In Apache Tomcat, security is enforced by adding security constraints that are built into the Java Servlet specification. These are not found in the main “server.xml” file in tomcat but in the “web.xml” configuration file which can be located at TOMCAT_HOME/conf/web.xml or AppName/tomcat/conf/web.xml
Add the following lines in conf/web.xml:
< security-constraint >
< web-resource-collection>
< web-resource-name>restricted methods < / web-resource-name>
< url-pattern>/*< /url-pattern>
< http-method>OPTIONS< /http-method>
< /web-resource-collection>
< auth-constraint />
< /security-constraint>
To disable the OPTIONS method in Nginx add the following configuration in the nginx.conf file which is typically located at C:\nginx\conf\nginx.conf
It is suggested to disable any HTTP methods which are not going to be utilized and which are not required to be implemented on the web server. The below condition, which is added under the ?server? section in the Nginx configuration file will disable OPTIONS method:
if ($request_method ~ ^(OPTIONS)$ )
{
return 403;
}
The result can be tested with curl:
curl -X OPTIONS https://domain.com