How to disable HTTP OPTIONS method in Apache HTTP Server
Article ID: 100060605
Updated On:
Description
Error Message
Example security message : The option method is enabled throughout the application
Cause
N/A
Resolution
It is possible to disable the HTTP OPTIONS method in Apache, without impacting DLO functionality.
To do this;
- Download a copy of Curl.exe (which is included in WIn 10/11 client OS builds).
- Open a command prompt to where curl.exe is saved and run the following command;
Curl.exe –i –X OPTIONS http://
- That will produce a result like below and the 'Allow' line shows OPTIONS being displayed.
HTTP/1.1 200 OK
Date: Mon, 08 Oct 2018 15:14:23 GMT
Server: Apache
Allow: OPTIONS,POST,GET,HEAD
Content-Length: 0
Content-Type: text/html
- Open the C:\Program Files\Apache Software Foundation\Apache24\Conf\hpptd.conf file
- Scroll down the contents of that file. Under the
section, add the highlighted lines below and save the file:
AllowOverride none
Require all denied
Order deny,allow
Deny from all
- In the command prompt, to where curl.exe is saved, rerun the following command;
Curl.exe –i –X OPTIONS http://
- That will now produce a result like below and the Allow line is now no longer displayed.
HTTP/1.1 200 OK
Date: Mon, 08 Oct 2018 15:14:23 GMT
Server: Apache
Content-Length: 0
Content-Type: text/html
The HTTP OPTIONS is now disabled on the system.
Issue/Introduction
Security scanners can identify a potential vulnerability with Desktop and Laptop Option (DLO) related to HTTP OPTIONS method being used with Apache HTTP Server.
Was this article helpful?
Yes
No
Powered by
