5.1.2 Ensure only approved HTTP methods are allowed

Information

HTTP methods (also known as verbs) allow different actions to be requested from the web server at a specified path. Only the necessary methods should be enabled.

Rationale:

Most websites only require the methods GET, POST and HEAD to function correctly. Web applications may also require other verbs (e.g. DELETE). In order to narrow vectors of attack, it is recommended to only enable the required verbs.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To remove unneeded methods and only allow required methods, add the following into a server or location block in your nginx.conf. The below snippet assumes only the methods GET, HEAD and POST are required for an application. The reason for 444 as a response is because it contains no information and can help mitigate automated attacks.


if ($request_method !~ ^(GET|HEAD|POST)$) {
return 444;
}

Default Value:

All methods are allowed.

See Also

https://workbench.cisecurity.org/files/4212