WA00565 A22 - HTTP request methods must be limited - Order

Information

The HTTP 1.1 protocol supports several request methods which are rarely used and potentially high risk. For example, methods such as PUT and DELETE are rarely used and should be disabled in keeping with the primary security principal of minimize features and options. Also since the usage of these methods is typically to modify resources on the web server, they should be explicitly disallowed. For normal web server operation, you will typically need to allow only the GET, HEAD and POST request methods. This will allow for downloading of web pages and submitting information to web forms. The OPTIONS request method will also be allowed as it is used to request which HTTP request methods are allowed.

Solution

Edit the httpd.conf file and add the following entries for every enabled directory except root.

Order allow,deny

<LimitExcept GET POST OPTIONS>
Deny from all
</LimitExcept>

See Also

https://iasecontent.disa.mil/stigs/zip/U_Apache_2-2_UNIX_V1R11_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7, CAT|II, Rule-ID|SV-33236r2_rule, STIG-ID|WA00565_A22, Vuln-ID|V-26396

Plugin: Unix

Control ID: ab0422b8d599e0960a73e6cee008705413687a9a4fa4c0eb57dc1f59f93063d7