Skip to content

Limit Available Methods

An XCCDF Rule

Description

Web server methods are defined in section 9 of RFC 2616 ( http://www.ietf.org/rfc/rfc2616.txt). If a web server does not require the implementation of all available methods, they should be disabled.

Note: GET and POST are the most common methods. A majority of the others are limited to the WebDAV protocol.

<Directory /var/www/html>
# ...
   # Only allow specific methods (this command is case-sensitive!)
   <LimitExcept GET POST>
      Order allow,deny
   </LimitExcept>
# ...
</Directory>

Rationale

Minimizing the number of available methods to the web client reduces risk by limiting the capabilities allowed by the web server.

ID
xccdf_org.ssgproject.content_rule_httpd_limit_available_methods
Severity
Unknown
Updated