HOWTO: Disable HTTP Methods in Apache


At several points in our careers as web server/site administrators, we will be required to disable certain HTTP methods from the web and app servers we support.  The most common reason to disable these methods is due to some security best practice.  The traditional way to disable specific HTTP Methods in the Apache web server is with the use of mod_rewrite. mod_rewrite is a rules-based, rewriting engine that can be loaded in the standard apache configuration file or as part of an .htaccess file.

There are a minimum of four components to a mod_rewrite rule; the directive that loads the module, the directive that turns the rewrite engine on, a rewrite condition, and a rewrite rule.

Since mod_rewrite is so commonly used, the directive that loads the module will more likely than not already be present. Search your apache configuraction file(s) for If it is not found, add the following line to your apache configuration file (typically known as httpd.conf):

	LoadModule  rewrite_module  path/to/apache/modules/

To enable the rewrite engine, add the following:

	RewriteEngine On 

Please note that by default, rewrite configurations are not inherited across virtual servers. Add RewriteEngine On to each virtual host.

The Disable HTTP Methods Rewrite Rule

Since we are looking to disable specific http methods in this HOWTO, our rewrite rule has two components: a condition and the rule to be applied when that condition is met. In this HOWTO, my example rule will disable both HTTP TRACE and HTTP TRACK requests, (even though TRACK isn't supported by Apache) as well as HTTP OPTIONS requests, (even though disabling HTTP OPTIONS isn't necessarily a best practice). Below is the rule:

	RewriteRule .* - [F]

The first line in the rule uses a built in server variable called REQUEST_METHOD. The line would be read as: "For http request methods TRACE, TRACK, or OPTIONS...". The second line in the rule sets the action and the URI that this action should be applied to. The line above would be read as: "forbid access for all URIs". Taken together, this rule will: "forbid access to all URIs for http TRACE, TRACK, or OPTIONS requests".

Creative Commons Attribution-ShareAlike 3.0 Unported