The typical way to block OPTIONS in 2.2 does not need mod_rewrite at all IIRC. You just add this in your location/directory:
        <LimitExcept GET POST>
                deny from all

and will return 403 if you try OPTIONS method there

El vie., 12 feb. 2016 a las 7:41, Spork Schivago (<>) escribió:
Thank you.   I do see the 200 OK response.


HTTP/1.1 200 OK
Date: Fri, 12 Feb 2016 06:35:33 GMT
Server: Apache
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Content-Length: 0
Connection: close
Content-Type: text/html

Connection closed by foreign host.

How do I go about fixing this again?   I'd like the fix to be server wide, so I'd want to put this in my httpd.conf file?

RewriteRule .* - [R=405,L]
RewriteRule ^[^/] - [R=403,L]

I'm currently redirecting all http traffic to the https version of my site using this in .htaccess files:

RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^(.*) https://%{HTTP_HOST}/$1 [R]

I'd like to add that to make it server wide as well I think.   Just gotta figure out where to put it in the httpd.conf file (or the vhosts .conf files).   I use cPanel / WHM and EasyApache so it makes things much harder to figure out.

On Fri, Feb 12, 2016 at 12:33 AM, Toomas Aas <> wrote:

On 02/12/2016 03:38 AM, Spork Schivago wrote:

Sorry to put in here, but is there away for me to test to see if my
server is affected by this OPTIONS issue?

Testing is easy. Just telnet to port 80 of your server, type "OPTIONS / HTTP/1.0" and press Enter twice.

$ telnet 80
Connected to
Escape character is '^]'.

HTTP/1.0 200 OK
Content-Length: 0
Connection: close
Date: Fri, 12 Feb 2016 05:29:26 GMT
Server: Apache

If you see the "200 OK" response, you are affected

Toomas Aas | support engineer

To unsubscribe, e-mail:
For additional commands, e-mail: