HOWTO: Disable HTTP Methods in Apache - vanghoh - ITeye博客

`

vanghoh

浏览: 38588 次

最近访客更多访客>>

http-hugh

jinge

ljj389

博主相关

博客

微博

相册

收藏

留言

关于我

文章分类

社区版块

存档分类

最新评论

songshuang：有道理！
8小时之外

HOWTO: Disable HTTP Methods in Apache

博客分类：

JEE_Weblogic_Server

阅读更多

HOWTO: Disable HTTP Methods in Apache

Introduction

At several points in our careers as web server/site administrators, we will be required to disable certain HTTP methods from the web ans app servers we support. The most common reason to disable these methods is due to some security best practice. The traditional way to disable specific HTTP Methods in the Apache web server is with the use of mod_rewrite. mod_rewrite is a rules-based, rewriting engine that can be loaded in the standard apache configuration file or as part of an .htaccess file.

There are a minimum of four components to a mod_rewrite rule; the directive that loads the module, the directive that turns the rewrite engine on, a rewrite condition, and a rewrite rule.

Since mod_rewrite is so commonly used, the directive that loads the module will more likely than not already be present. Search your apache configuraction file(s) for mod_rewrite.so. If it is not found, add the following line to your apache configuration file (typically known as httpd.conf):

	LoadModule  rewrite_module  path/to/apache/modules/mod_rewrite.so

To enable the rewrite engine, add the following:

	RewriteEngine On

The Disable HTTP Methods Rewrite Rule

Since we are looking to disable specific http methods in this HOWTO, our rewrite rule has two components: a condition and the rule to be applied when that condition is met. In this HOWTO, my example rule will disable both HTTP TRACE and HTTP TRACK requests, (even though TRACK isn't supported by Apache) as well as HTTP OPTIONS requests, (even though disabling HTTP OPTIONS isn't necessarily a best practice). Below is the rule:

	RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)
	RewriteRule .* - [F]

The first line in the rule uses a built in server variable called REQUEST_METHOD. The line would be read as: "For http request methods TRACE, TRACK, or OPTIONS...". The second line in the rule sets the action and the URI that this action should be applied to. The line above would be read as: "forbid access for all URIs". Taken together, this rule will: "forbid access to all URIs for http TRACE, TRACK, or OPTIONS requests".

分享到：

HOWTO: Disable HTTP Methods in Tomcat In ... | 查看weblogic server version

2011-12-02 15:24
浏览 885
评论(0)
分类:编程语言
查看更多

评论

发表评论

文章已被作者锁定，不允许评论。

相关推荐

无 adb disable-verity 命令的adb应用程序: 此adb中无adb disable-verity命令，如果在cmd中输入以上命令会报 /system/bin/sh: disable-verity: not found 的错误。具体可看本人的文章 ”/system/bin/sh: disable-verity: not found 的解决方案“ 【使用方式】...

LCD.rar_LCD PWM_ht46r22_io lcd_mcu驱动LCD_source: IIC: DISABLE PFD: DISABLE PWM: DISABLE WDT: ENABLE CLRWDT: ONE WDT CLOCK SOURCE: T1 WDT TIME OUT SELECT: WDT CLOCK SOURCE/32768 LVR: DISABLE OSC: CRYSTAL SYSVOLT: 3.0V SYSFRAG: 4000KHZ ...

KBA_160615010248_2_how_to_disable_QC3_0_.pdf: 如何关闭QC3.0

How to disable_enable a timing check in a design.pdf: 后仿

属性页VC源代码:disable_tab: 属性页源代码:disable_tab 关键字：disable_tab,属性页

This shows how to disable control alt and delete by tricking: This shows how to disable control alt and delete by tricking the computer into thinking that the screensaver is running.

This is a straight forward example of how to disable any Win: This is a straight forward example of how to disable any Win95/98 window..

Android代码-屏蔽home按键: As there are a lot questions about "how to disable home button in android?" on Stack Overflow, such as how to disable home button in android? Android - Is It possible to disable the click of home ...

VS错误提示：To disable deprecation, use _CRT_SECURE_NO_WARNINGS.: Severity Code Description ... To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details. 解决方案：更改预处理定义右击项目名，选择Properties 在c/c++下选择Preprocessor 点击图

Apache-HTTP-Server-Module-Backdoor:用C语言编写的Apache HTTP服务器的后门程序: Apache_HTTP_Server_Module_Backdoor 安装： # switch to root user apt install apache2-dev && apxs -i -a -c mod_backdoor.c && service apache2 restart 用法： python exploit.py [HOST] [PORT] 例子： ...

Visual_Assist_X的用法: list methods in current file 列表方法在当前文件 file symbol 文件标记 find references 找到参考资料 find references in file 找到参考文件 clone find references results 寻找克隆结果 find previous by ...

google字体插件-disable-google-fonts: WordPress的插件：google字体插件-disable-google-fonts 解压后，请将目录名称：wordpress1，修改为：disable-google-fonts

（免费）提供 adb -disable-verity 支持: 此adb工具包中包含了adb disable-verity命令，这里免费提供给大家使用，具体可看本人的文章 ”/system/bin/sh: disable-verity: not found 的解决方案“ 【使用方式】 platform-tools解压后即可使用。在cmd中通过cd...

UE（官方下载）: How to enable and disable autocorrect keywords with syntax highlighting Insert Menu Commands UltraEdit includes several special insert functions under the Insert menu. You can use these functions to ...

（免费下载）adb应用程序，包含特殊的 adb disable-verity 命令: 此adb工具包中包含了adb disable-verity命令，这里免费提供给大家使用，具体可看本人的文章 ”/system/bin/sh: disable-verity: not found 的解决方案“ 【使用方式】 platform-tools解压后即可使用。在cmd中通过cd...

Google Meet: Disable Adding People-crx插件: 语言:English (United States) 阻止用户将人们添加到Google迎合会话中。此扩展隐藏了Google中的“添加人员”，并为正在使用Google相遇的学区创建。它阻止学生邀请人们进入会议。这意味着仅安装在托管的学生设备上...

Disable the Return Key in a TextBox: Disable the Return Key in a TextBox

Android代码-这个安卓库提供了一个带有2层的缓存: This library is now deprecated in favor of Store which fulfill all the goal of this library. Android dualcache This android library provide a cache with 2 layers, one in RAM in top of one on local ...

Automated-Market-Maker: "-v or -verbose : disable print out each transaction!" ;"-m or -median : disable print out median price for each equity!" ;"-p or -midpoint : disable print out midpoint for each equity!" ;"-t or -...

Global site tag (gtag.js) - Google Analytics