<h3 class="entry-header" style="margin-top: 0px; margin-bottom: 5px; margin-right: 0px; margin-left: 0px; font-size: 22px; font-family: 'Helvetica Neue', Geneva, Arial, Verdana, sans-serif; line-height: 20px; text-align: left;">HOWTO: Disable HTTP Methods in Apache</h3>
<div class="entry-content" style="clear: both; margin-top: 5px; margin-right: 0px; margin-bottom: 5px; margin-left: 0px; color: #333333; font-family: 'Helvetica Neue', Geneva, Arial, Verdana, sans-serif; font-size: 14px; line-height: 20px; text-align: left;">
<div class="entry-body" style="clear: both;">
<h3 style="margin-top: 10px; margin-bottom: 10px; color: black;">Introduction</h3>
<p style="margin-top: 10px; margin-bottom: 10px;">There are a minimum of four components to a mod_rewrite rule; the directive that loads the module, the directive that turns the rewrite engine on, a rewrite condition, and a rewrite rule.
<pre> LoadModule??rewrite_module??path/to/apache/modules/mod_rewrite.so</pre>
<p style="margin-top: 10px; margin-bottom: 10px;">To enable the rewrite engine, add the following:
<h3 style="margin-top: 10px; margin-bottom: 10px; color: black;">The Disable HTTP Methods Rewrite Rule</h3>
<p style="margin-top: 10px; margin-bottom: 10px;">Since we are looking to disable specific http methods in this HOWTO, our rewrite rule has two components: a condition and the rule to be applied when that condition is met. In this HOWTO, my example rule will disable both HTTP TRACE and HTTP TRACK requests, (even though TRACK isn't supported by Apache) as well as HTTP OPTIONS requests, (even though disabling HTTP OPTIONS isn't necessarily a best practice). Below is the rule:
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)
RewriteRule .* - [F]</pre>
<p style="margin-top: 10px; margin-bottom: 10px;">The first line in the rule uses a built in server variable called REQUEST_METHOD. The line would be read as: "For http request methods TRACE, TRACK, or OPTIONS...". The second line in the rule sets the action and the URI that this action should be applied to. The line above would be read as: "forbid access for all URIs". Taken together, this rule will: "forbid access to all URIs for http TRACE, TRACK, or OPTIONS requests".
<div class="entry-content" style="clear: both; margin-top: 5px; margin-right: 0px; margin-bottom: 5px; margin-left: 0px; color: #333333; font-family: 'Helvetica Neue', Geneva, Arial, Verdana, sans-serif; font-size: 14px; line-height: 20px; text-align: left;">
<div class="entry-body" style="clear: both;">
<h3 style="margin-top: 10px; margin-bottom: 10px; color: black;">Introduction</h3>
<p style="margin-top: 10px; margin-bottom: 10px;">There are a minimum of four components to a mod_rewrite rule; the directive that loads the module, the directive that turns the rewrite engine on, a rewrite condition, and a rewrite rule.
<pre> LoadModule??rewrite_module??path/to/apache/modules/mod_rewrite.so</pre>
<p style="margin-top: 10px; margin-bottom: 10px;">To enable the rewrite engine, add the following:
<h3 style="margin-top: 10px; margin-bottom: 10px; color: black;">The Disable HTTP Methods Rewrite Rule</h3>
<p style="margin-top: 10px; margin-bottom: 10px;">Since we are looking to disable specific http methods in this HOWTO, our rewrite rule has two components: a condition and the rule to be applied when that condition is met. In this HOWTO, my example rule will disable both HTTP TRACE and HTTP TRACK requests, (even though TRACK isn't supported by Apache) as well as HTTP OPTIONS requests, (even though disabling HTTP OPTIONS isn't necessarily a best practice). Below is the rule:
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)
RewriteRule .* - [F]</pre>
<p style="margin-top: 10px; margin-bottom: 10px;">The first line in the rule uses a built in server variable called REQUEST_METHOD. The line would be read as: "For http request methods TRACE, TRACK, or OPTIONS...". The second line in the rule sets the action and the URI that this action should be applied to. The line above would be read as: "forbid access for all URIs". Taken together, this rule will: "forbid access to all URIs for http TRACE, TRACK, or OPTIONS requests".