Differences
This shows you the differences between two versions of the page.
litespeed_wiki:config:disable-http-methods [2019/04/24 14:32] Jackson Zhang created |
litespeed_wiki:config:disable-http-methods [2019/04/24 15:43] (current) Lisa Clarke Copyediting |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== How to disable OPTIONS/TRACE/TRACK http methods? ====== | + | ====== Disabling HTTP Methods ====== |
- | HTTP defines a set of request methods to indicate the desired action to be performed for a given resource, such as "Options", "Trace", "Track" etc. | + | HTTP defines a set of request methods to indicate the desired action to be performed for a given resource, such as ''OPTIONS'', ''TRACE'', ''TRACK'', etc. |
- | ''Options'' are analytical protocols commonly utilized to repair and clear up web servers. However, most frequently, it serves as a crack that lets attackers have an easy way to launch an attack. Also ''Trace/Track'' method may introduce Cross-Site Tracing vulnerability. It is thus, recommended blocking that possible access by disabling the ''Options/Trace/Track'' method. | + | ''OPTIONS'' are analytical protocols commonly utilized to repair and clear up web servers. However, most frequently, they serve as cracks that let attackers have an easy way to launch an attack. |
- | You can use rewrite rules to do so. | + | Also problematic is the ''TRACE'' or ''TRACK'' method, which may introduce a Cross-Site Tracing vulnerability. |
+ | |||
+ | It is thus recommended to disable the ''OPTIONS|TRACE|TRACK'' methods, thereby blocking possible malicious access. | ||
+ | |||
+ | You can use rewrite rules to do so: | ||
RewriteCond %{REQUEST_METHOD} ^(OPTIONS|TRACE|TRACK) | RewriteCond %{REQUEST_METHOD} ^(OPTIONS|TRACE|TRACK) | ||
RewriteRule .* - [F] | RewriteRule .* - [F] | ||
| | ||
- | Please the above rule to domain's document rule .htaccess. If you use control panel and want to disable such for all virtual hosts, you can add it to virtual host include files, which will disable ''OPTIONS/TRACE/TRACK'' for all virtual hosts. Please refer to corresponding documentation of control panel on how to add/modify such include files for all virtual hosts. | + | Add the above rule to the domain's document root ''.htaccess''. If you use a control panel and want to disable ''OPTIONS|TRACE|TRACK'' methods for all virtual hosts, you can add the same lines to the virtual host include files. Please refer to the control panel's documentation to learn how to add/modify such include files for all virtual hosts. |