disable http methods in apache

How to Disable HTTP Methods in Apache

Team Fedingo

Apache web server supports numerous HTTP methods such as GET, POST, DELETE, PUT, PATCH, OPTIONS each serving a different purpose. They are enabled in Apache server by default. Of these, GET and POST are the most common methods and others are rarely used. So it is advisable to disable other HTTP methods in Apache which are not used frequently, to prevent malicious attackers & bots from exploiting their security vulnerabilities. In this article, we will learn how to disable HTTP methods in Apache.


How to Disable HTTP Methods in Apache

Here are the steps to disable HTTP methods in Apache server.


1. Enable mod_rewrite

We will need to enable mod_rewrite and create .htaccess file in order to disable HTTP methods. If you have already enabled it on your server, you can skip this step.

Otherwise, depending on your Linux distribution, run the following commands to enable it.

Ubuntu/Debian

Open terminal and run the following command to enable mod_rewrite.

$ sudo a2enmod rewrite

Redhat/Fedora/CentOS

Open Apache configuration file in a text editor.

$ sudo vi /etc/apache2/httpd.conf
OR
$ sudo vi /etc/httpd/httpd.conf

Look for the following line.

#LoadModule rewrite_module modules/mod_rewrite.so

Uncomment it by removing # at its beginning. If you don’t find this line, add it afresh.

Also look for the following Directory tag and change AllowOverride from None to All.

. . .
<Directory /var/www/html>
. . .
 # 
 # AllowOverride controls what directives may be placed in .htaccess files.
 # It can be "All", "None", or any combination of the keywords:
 # Options FileInfo AuthConfig Limit
 #
 AllowOverride All
. . .
</Directory>
. . .


2. Open .htaccess file

Open .htaccess file in text editor. We have used the default location of .htaccess file below. If you have created it at another location, replace the file path below accordingly.

$ sudo vi /var/www/html/.htaccess


3. Disable HTTP Methods

Add the following lines to .htaccess file, to disable HEAD, PUT, DELETE, PATCH, TRACK, and OPTIONS HTTP methods in Apache.

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(HEAD|PUT|DELETE|PATCH|TRACK|OPTIONS) 
RewriteRule .* - [F]

Save and close the file. You can customize the above directives as per your requirement.


4. Restart Apache Server

Restart Apache server to apply changes.

$ sudo service apache2 restart
OR
$ sudo systemctl restart apache2


5. Test Setup

Open terminal and run the following command to send an OPTIONS HTTP request to your domain or server IP address.

$ curl -i -X OPTIONS http://your_domain_or_ip

You will get 403 Access Forbidden response.

HTTP/1.1 403 Forbidden
...

It means that OPTIONS HTTP method is disabled on your webserver. In this article, we have learnt how to block HTTP methods in Apache server. You can use these steps to disable HTTP TRACE, OPTIONS, PUT and other HTTP methods on your server. It is a simple & effective ways to make your website more secure.

Also read:

MySQL Datetime vs Timestamp
How to Remove Line from File Using Python
How to Combine Multiple CSV Files using Python
How to Rename Multiple Files in Directory Using Python
Python Script to Load Data into MySQL

Related posts:

How to Setup Apache Virtual Host in Windows
How to Exclude URL from Auth in Apache
How to Redirect in Apache based on Cookie
How to Disable Directory Browsing in Apache
How to Prevent Apache from Serving .git Directory
How Does RewriteBase Work With Example
How to Redirect All Wildcard Subdomains to Root Domain in Apache
How to Change PHP Version in Ubuntu

Leave a Reply

Your email address will not be published. Required fields are marked *