HTTP DELETE method is enabled. This may result in letting malicious user delete content or code from the web server, thus resulting into data loss.
What is HTTP DELETE method?
The DELETE method requests that the origin server remove the association between the target resource and its current functionality. .i.e. HTTP DELETE method deletes the specified resource at the origin of server.
DELETE /root.html HTTP 1.1
The DELETE request message has no defined semantics.
DELETE /root.html HTTP 1.1
Host: test.com
If HTTP DELETE request gives response as ?202 Accepted? then DELETE request was successfully applied on specified URI but might not be enacted.
If HTTP DELETE request gives response as ?204 No content? then file in DELETE request was successfully on specified URI no other information is to be supplied or the response message includes status of the representation.
To disable HTTP DELETE in Apache:
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|OPTIONS)
RewriteRule .* - [F]
To disable HTTP DELETE in IIS:
To disable HTTP DELETE in Tomcat:
<security-constraint>
<web-resource-collection>
<web-resource-name><strong>restricted methods</strong></web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>