{"id":2943,"date":"2014-03-27T23:02:01","date_gmt":"2014-03-27T15:02:01","guid":{"rendered":"http:\/\/rmohan.com\/?p=2943"},"modified":"2014-03-27T23:02:01","modified_gmt":"2014-03-27T15:02:01","slug":"restrict-unused-http-methods-and-verbose-http-headers","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=2943","title":{"rendered":"Restrict unused HTTP methods and Verbose HTTP headers"},"content":{"rendered":"<p><span style=\"line-height: 1.5em;\">Restricting unused HTTP methods<\/span><\/p>\n<p>The HTTP method is supplied in the request line and specifies the operation that the client has requested. Browsers will generally just use two methods to access and interact with web sites; GET for queries that can be safely repeated and POST for operations that may have side effects. This means, we need to disable unused http methods. some of them are:(PUT|DELETE|TRACE|TRACK|COPY|MOVE|LOCK|UNLOCK|PROPFIND|PROPPATCH|SEARCH|MKCOL). Check with the application teams, if they need any of these methods for the application to work, before disabling them.<\/p>\n<p>Testing before limiting http methods:<\/p>\n<p>telnet rmohan.com 80<br \/>\nTrying xx.xx.xx.xx\u2026<br \/>\nConnected to rmohan.com.<br \/>\nEscape character is \u2018^]\u2019.<br \/>\nOPTIONS \/ HTTP\/1.1<br \/>\nHost: rmohan.com<\/p>\n<p>HTTP\/1.1 200 OK<br \/>\nDate: Thu, 14 Sep 2010 00:11:57 GMT<br \/>\nServer: Apache Web Server<br \/>\nContent-Length: 0<br \/>\nAllow: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, TRACE<\/p>\n<p>Connection closed by foreign host.<\/p>\n<p>your IBM http servers configuration file [httpd.conf] has 2 sections named main and virtualhost sections. you need to add the following code at both the places.<\/p>\n<p>I am explaining this task using mod_rewrite module. So, first make sure that\u2026 mod_rewrite is enabled. then, add the following lines to your http.conf files main and virtualhost sections.<\/p>\n<p>RewriteEngine On<br \/>\nRewriteCond %{REQUEST_METHOD} ^(PUT|DELETE|TRACE|TRACK|COPY|MOVE|LOCK|UNLOCK|PROPFIND|PROPPATCH|SEARCH|MKCOL)<br \/>\nRewriteRule .* \u2013 [F]<\/p>\n<p>Restart the web server after adding the above lines.<br \/>\nNow, when someone tried to use one of these http methods, they will get forbidden response since we specified [F] in the rewrite rule.<\/p>\n<p>Testing after adding and restarting web server<\/p>\n<p>telnet rmohan.com 80<br \/>\nTrying xx.xx.xx.xx&#8230;<br \/>\nConnected to rmohan.com.<br \/>\nEscape character is &#8216;^]&#8217;.<br \/>\nOPTIONS \/ HTTP\/1.1<br \/>\nHost: rmohan.com<\/p>\n<p>HTTP\/1.1 200 OK<br \/>\nDate: Thu, 14 Sep 2010 00:15:44 GMT<br \/>\nServer: Apache Web Server<br \/>\nContent-Length: 0<br \/>\nAllow: GET, POST<br \/>\nConnection closed by foreign host.<br \/>\nTesting TRACE methods<\/p>\n<p>telnet rmohan.com 80<br \/>\nTrying xx.xx.xx.xx&#8230;<br \/>\nConnected rmohan.com<br \/>\nEscape character is &#8216;^]&#8217;.<br \/>\nTRACE \/ HTTP\/1.0<br \/>\nHost: rmohan.com<br \/>\ntesting&#8230; &lt;- ENTER twice HTTP\/1.1 403 Forbidden Date: Thu, 14 Sep 2010 00:18:31 GMT Server: Apache Web Server Content-Length: 320 Connection: close Content-Type: text\/html; charset=iso-8859-1<\/p>\n<p>&nbsp;<\/p>\n<p>Forbidden<br \/>\nYou don&#8217;t have permission to access \/ on this server.<br \/>\nConnection closed by foreign host.<br \/>\nDisable verbose HTTP headers:<br \/>\nyou might have seen this \u2026 when the web server [apache or ibm http server] throws errors page, sometimes it might show the information related to its version, build, modules etc. This is a security issue since you are giving away the details about your web server. for example, take a look at this:<\/p>\n<p>Server: Apache\/2.0.53 (Ubuntu) PHP\/4.3.10-10ubuntu4 Server at xx.xx.xx.xx Port 80<br \/>\nThe line in the server header expose important version and variant information about the Linux operating system and Apache software used on the machine, indirectly expose the possible security holes that are existed to the hackers, or at least make malicious attackers easier to identify your system for available attack points.<br \/>\nTo ensure that the Apache HTTP web server does not broadcast this message to the whole world publicly and fix possible security issue, modify these two directives ServerTokes and ServerSignature in httpd.conf configuration file.<\/p>\n<p>ServerTokens<\/p>\n<p>This directive configures what you return as the Server HTTP response Header. The built-in default is \u2018Full\u2019 which sends information about the OS-type and compiled in modules. The recommended value is \u2018Prod\u2019 which sends the least information.<\/p>\n<p>Options: Full | OS | Minor | Minimal | Major | Prod<\/p>\n<p>\u201cServerTokens Prod\u201d<\/p>\n<p>This configures Apache to return only Apache as product in the server response header on very page request, suppressing OS, major and minor version info.<\/p>\n<p>ServerSignature<\/p>\n<p>This directive lets you add a line containing the server version and virtual host name to server-generated pages. It is recommended to set it to OFF and Set to &#8220;EMail&#8221; to also include a mailto: link to the ServerAdmin.<\/p>\n<p>Options: On | Off | EMail<\/p>\n<p>\u201cServerSignature Off\u201d<\/p>\n<p>This instructs Apache not to display a trailing footer line under server-generated documents, which displays server version number, ServerName of the serving virtual host, email setting etc..<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Restricting unused HTTP methods<\/p>\n<p>The HTTP method is supplied in the request line and specifies the operation that the client has requested. Browsers will generally just use two methods to access and interact with web sites; GET for queries that can be safely repeated and POST for operations that may have side effects. This means, [&#8230;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/2943"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2943"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/2943\/revisions"}],"predecessor-version":[{"id":2944,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/2943\/revisions\/2944"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2943"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2943"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2943"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}