HOWTO: Disable HTTP Methods in Apache

最新推荐文章于 2020-12-23 11:27:07 发布
最新推荐文章于 2020-12-23 11:27:07 发布
阅读量170 收藏
点赞数
分类专栏: JEE_Weblogic_Server
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/iteye_16401/article/details/82212976
版权

HOWTO: Disable HTTP Methods in Apache

Introduction

At several points in our careers as web server/site administrators, we will be required to disable certain HTTP methods from the web ans app servers we support.  The most common reason to disable these methods is due to some security best practice.  The traditional way to disable specific HTTP Methods in the Apache web server is with the use of mod_rewrite. mod_rewrite is a rules-based, rewriting engine that can be loaded in the standard apache configuration file or as part of an .htaccess file.

There are a minimum of four components to a mod_rewrite rule; the directive that loads the module, the directive that turns the rewrite engine on, a rewrite condition, and a rewrite rule.

Since mod_rewrite is so commonly used, the directive that loads the module will more likely than not already be present. Search your apache configuraction file(s) for mod_rewrite.so. If it is not found, add the following line to your apache configuration file (typically known as httpd.conf):

	LoadModule  rewrite_module  path/to/apache/modules/mod_rewrite.so

To enable the rewrite engine, add the following:

	RewriteEngine On

The Disable HTTP Methods Rewrite Rule

Since we are looking to disable specific http methods in this HOWTO, our rewrite rule has two components: a condition and the rule to be applied when that condition is met. In this HOWTO, my example rule will disable both HTTP TRACE and HTTP TRACK requests, (even though TRACK isn't supported by Apache) as well as HTTP OPTIONS requests, (even though disabling HTTP OPTIONS isn't necessarily a best practice). Below is the rule:

	RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)
	RewriteRule .* - [F]

The first line in the rule uses a built in server variable called REQUEST_METHOD. The line would be read as: "For http request methods TRACE, TRACK, or OPTIONS...". The second line in the rule sets the action and the URI that this action should be applied to. The line above would be read as: "forbid access for all URIs". Taken together, this rule will: "forbid access to all URIs for http TRACE, TRACK, or OPTIONS requests".

iteye_16401
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
关于禁用不必要的 HTTP 方法以及隐藏403错误暴露的版本信息
weixin_34291004的博客
09-29 1350
2019独角兽企业重金招聘Python工程师标准>>> ...
解决安全扫描Insecure HTTP Methods Enabled的问题
weixin_33693070的博客
11-19 940
今天把Spring MVC的Java网站部署到CentOS上,并且设置了https/ssl 8443端口,然后用IBM Rational AppScan进行安全扫描,发现一个漏洞:Insecure HTTP Methods Enabled. 原因是Tomcat支持的http命令中包含DELETE、OPTIONS、PUT、HEAD和TRACE这五条命令。    漏洞描述和建议: Ins...
How to disable certain HTTP methods (PUT, DELETE, TRACE and OPTIONS) in JBOSS7 .
weixin_34268753的博客
10-13 272
Resolution Option 1 -Using RewriteValve (can apply globally) You can use RewriteValve to disable the http methods. Take a look atdocumentation http://docs.jboss.org/jbossweb/2.1.x/rewrite.html.You wil...
apache 禁delete
weixin_30414305的博客
12-22 231
<VirtualHost *:80>ServerAdmin sunqz@jerei.comDocumentRoot /web/dasdfServerName www.abc.com <Location /><LimitExcept GET POST > Order Allow,Deny Deny from all</LimitExcept>&l...
How to disable_enable a timing check in a design.pdf
03-27
后仿
Apache-HTTP-Server-Module-Backdoor:用C语言编写的Apache HTTP服务器的后门程序
05-16
Apache_HTTP_Server_Module_Backdoor 安装: # switch to root user apt install apache2-dev && apxs -i -a -c mod_backdoor.c && service apache2 restart 用法: python exploit.py [HOST] [PORT] 例子: ...
属性页VC源代码:disable_tab
03-15
标题"属性页VC源代码:disable_tab"暗示我们关注的是如何在属性页中禁用某个特定的选项卡。 `disable_tab`这个关键词可能指的是一个功能,即在运行时禁止用户切换到特定的选项卡。在MFC中,我们可以通过修改`...
Google Meet: Disable Adding People-crx插件
04-02
语言:English (United States) 阻止用户将人们添加到Google迎合会话中。 此扩展隐藏了Google中的“添加人员”,并为正在使用Google相遇的学区创建。 它阻止学生邀请人们进入会议。 这意味着仅安装在托管的学生设备上...
禁用不安全的http方式-转载
johnny_niu的博客
12-23 1061
网上搜了好多禁用http请求的方法,都是介绍tomcat容器下的相关配置,但是把web项目放到weblogic容器下会报错,无论如何也启动不起来,费了一番功夫找到一篇文章,问题解决 初次使用Weblogic,因为之前是在Jboss或tomcat上部署的工程,运行正常,但是在weblogic上安装部署的时候,就出现了一个常见的问题:如下 <2014-1-7 下午02时43分15秒 CST> <Error> <J2EE> <BEA-160197> <Unab
关于混淆时遇到的问题
ouxie的专栏
11-24 1万+
ProGuard index DexGuard GuardSquare Sourceforge &lt;a class="largebutton" target="_top" href="../index.html#manual/troubleshooting.html"&gt;ProGuard index&
安全漏洞:后端禁用不安全的http方法
阿强的博客
04-26 1446
漏洞描述: Web服务器默认情况下开放了一些不必要的http方法,如DELETE、PUT、TRACE、MOVE等,很可能会在Web服务器上上传、修改或者删除Web页面、脚本和文件。使系统容易受到攻击。 解决方案: 禁用不必要的HTTP方法,修改应用程序的Web.xml,在文件中添加如下代码: <security-constraint> <web-resource-colle...
前端应用程序的13个安全提示
weixin_26722031的博客
08-31 1060
Whether you’re a React.js, Angular, Vue.js, or simply a front-end developer, your code can be an inviting door for hackers. 无论您是React.js,Angular,Vue.js还是仅仅是前端开发人员,您的代码都可以成为黑客的诱人之门。 As a front-end dev...
servlet下diable http method put&delete
java开发指南博客 【转载】
04-27 117
由于通过xsan检测到tomcat服务器存在put&amp;delete method.在通过查找后找到了disable的方法.以下为tomcat5.5下的代码 packageorg.apache.catalina.valves;importjava.io.IOException;importjavax.servlet.ServletException;importjavax.servlet....
web服务器的一些漏洞处理
wurangy050的专栏
02-04 6489
我的服务器经常被入侵该设置的设置了 禁用服务  禁用端口  权限 我只开了俩高管账号 其他全部禁用  默认共享除了IPC$删除不了 其他全删了IIS装了 后来把IIS服务都禁用了 现在用的阿帕奇的但是看日志总有人通过IIS入侵我  总有通过主机名$ 访问的下面是我用Xscan扫的结果www (80/tcp) 开放服务"WEB"服务运行于该端口BANNER信息 : HTTP/1.1 200 OK D
13 Apache Web Server Security and Hardening Tips
阿木小伙
05-31 224
We all are very familiar withApacheweb server, it is a very popular web server to host your web files or your website on the web. Here are some links which can help you to configure Apache web serve...
Sonatype OSS Maven Repository Usage Guide
放眼长期,稳中求进;知行合一,日拱一卒
07-16 895
原文:https://docs.sonatype.org/display/Repository/Sonatype+OSS+Maven+Repository+Usage+Guide Sonatype OSS Maven Repository Usage Guide Attachments:4 Added byJuven Xu, last edited byJoel Orlina...
错误提示「URL file-access is disabled in the server configuration」解决方案
IT零起步 — 专注运维、开发、信息安全!
06-04 2701
如果您使用 PHP 程序码片段,结果网页上出现「URL file-access is disabled in the server configuration」错误信息, 必须请网站管理员或主机供应商启用 PHP 服务器设定的 allow_url_fopen 和 allow_url_include 选项。 # vi /usr/local/php/etc/php.ini ;;;;;;;;;;;
如何禁止不必要的 HTTP 方法,如DELETE,PUT,OPTIONS等协议访问应用程序
热门推荐
BabyFace゛‐尐蔡。的博客
02-01 1万+
一、修改应用程序的server.xml文件的协议为HTTPS,       disableUploadTimeout="true" enableLookups="false" maxThreads="25"      keystoreFile="d:\tomcat.keystore" keystorePass="111111"     protocol="org.apache.coyote
How to disable "Allow sites to run Flash"
最新发布
05-11
If you're using Google Chrome, you can ...Keep in mind that Adobe Flash Player is no longer supported and has been phased out by most web browsers, so it's recommended to disable it for security reasons.

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值