5.7 Ensure HTTP Request Methods Are Restricted

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Use the Apache <LimitExcept> directive to restrict unnecessary HTTP request methods of the web server to only accept and process the GET, HEAD, POST and OPTIONS HTTP request methods.

Rationale:

The HTTP 1.1 protocol supports several request methods which are rarely used and potentially high risk. For example, methods such as PUT and DELETE are rarely used and should be disabled in keeping with the primary security principal of minimize features and options. Also since the usage of these methods is typically to modify resources on the web server, they should be explicitly disallowed. For normal web server operation, you will typically need to allow only the GET, HEAD and POST request methods. This will allow for downloading of web pages and submitting information to web forms. The OPTIONS request method will also be allowed as it used to request which HTTP request methods are allowed. Unfortunately, the Apache <LimitExcept> directive does not deny the TRACE request method. The TRACE request method will be disallowed in another benchmark recommendation with the TraceEnable directive.

Solution

Perform the following to implement the recommended state:

Locate the Apache configuration files and included configuration files.

Search for the directive on the document root directory such as:

<Directory '/usr/local/apache2/htdocs'>
. . .
</Directory>

Add a directive as shown below within the group of document root directives.

# Limit HTTP methods to standard methods. Note: Does not limit TRACE
<LimitExcept GET POST OPTIONS>
Require all denied
</LimitExcept>

Search for other directives in the Apache configuration files other than the OS root directory and add the same directives to each. It is very important to understand that the directives are based on the OS file system hierarchy as accessed by Apache and not the hierarchy of the locations within web site URLs.

<Directory '/usr/local/apache2/cgi-bin'>
. . .
# Limit HTTP methods
<LimitExcept GET POST OPTIONS>
Require all denied
</LimitExcept>
</Directory>

Default Value:

No Limits on HTTP methods.

See Also

https://workbench.cisecurity.org/files/3021