[users@httpd] Restricting request methods

[Eruch Kapadia <ek...@cisco.com>]

Folks,

I am trying to restrict certain request methods that the apache server can 
accept.  For example i would like to disable TRACE, and DELETE methods.

Please advise how this can be done.

Regards

-- Eruch --

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Restricting request methods

[Joshua Slive <js...@gmail.com>]

On 11/8/05, Eruch Kapadia <ek...@cisco.com> wrote:
>
> Folks,
>
> I am trying to restrict certain request methods that the apache server can
> accept.  For example i would like to disable TRACE, and DELETE methods.
>
> Please advise how this can be done.

To start with, you are most likely wasting your time.  The TRACE
method is not dangerous, and the DELETE method is probably already
rejected by apache, unless you have mod_dav active and unprotected. 
So you are better off ignoring whatever silly security checklist you
are following.

But anyway, DELETE can be restricted as follows:

<Limit DELETE>
Order Allow,Deny
Deny from all
</Limit>

And TRACE can be disabled with the TraceEnable directive in 1.3.34 or
2.0.55 or later.  In earlier versions, you need mod_rewrite to disable
TRACE as in
http://www.apacheweek.com/issues/03-01-24#news

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org