Apache - Forbidding HTTP Methods

[ricardo arraes]

Hey everybody!

at this point you might be thinking that I'm paranoid with web security

but I found out that it's a good practice to block undesired HTTP Methods on Apache, in order to avoid some threats and increase the security of your server.
All you gotta do is:

1. open the httpd.conf file

2. load the rewrite module adding this line:

Código: Seleccionar todo

LoadModule rewrite_module modules/mod_rewrite.so

3. turn the rewriteengine ON, adding this line:

Código: Seleccionar todo

RewriteEngine On 

4. set the conditions and define which methods will be forbid, adding these lines:

Código: Seleccionar todo

RewriteCond %{REQUEST_METHOD} ^(PUT|PATCH|DELETE|COPY|HEAD|LINK|UNLINK|PURGE|LOCK|UNLOCK|PROPFIND|VIEW|TRACE|TRACK|OPTIONS)
RewriteRule .* - [F]

*in this case I'm forbiding all these methods (PUT,PATCH,DELETE,COPY,HEAD,LINK,UNLINK,PURGE,LOCK,UNLOCK,PROPFIND,VIEW,TRACE,TRACK,OPTIONS) on Apache, basically only GET and POST are allowed.

Now you can go to Postman (software that allows you to send some HTTP requests and test your applications) and try to send any of these methods, it will return a 403 - Forbidden Error.

and that's it!

[Cristobal]

Ricardo, fantástico, gracias

[ramirezosvaldo]

Gracias Ricardo

Muy buenos TIPS

Anexo Links para los que no sabemos que es cada metodo

https://yosoy.dev/peticiones-http-get-p ... elete-etc/

Saludos
Osvaldo

[mag071]

Gracias Ricardo ;

Muy buen TIPS.