httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Toomas Aas <>
Subject [users@httpd] Block access to "OPTIONS *"
Date Thu, 11 Feb 2016 21:56:22 GMT

An external party performed "security scan" against our web server which 
is running version 2.2.29. One of the findings is that OPTIONS directive 
is not blocked and I am tasked with fixing this.

Google turns out two popular approaches:

Approach 1:
RewriteRule .* - [R=405,L]

Approach 2:
<Location />
         Order allow,deny
         Deny from all

I have tried them both, and they nicely block requests such as "OPTIONS 
/" or "OPTIONS /whatever". However, the security scan software performs 
request "OPTIONS *". To that, Apache still responds with error code 200.

It is obvious why this happens with second method, so I tried 
<LocationMatch .*> instead of <Location />. No difference.

How can I block requests to "OPTIONS *" so that response would be 
something with 4xx error?

Toomas Aas | support engineer

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message