OPTIONS request is documented here - https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS It's used by fetch() API (https://fetch.spec.whatwg.org/) for requests from the browser to the Prometheus API When it's issued is documented: https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Preflighted_requests
So I would just say that it's part of the standard for communicating between browser and the server. But I'm no expert on web security so don't quote me on that. On Friday, 30 October 2020 at 09:45:48 UTC [email protected] wrote: > agree on that.. but my company policy states that even for info/low I need > to seek waiver to close it off.. > > just need some closure on this. if it is indeed used then i can declare > that it is required and accept it. > > On Friday, October 30, 2020 at 5:16:20 PM UTC+8 [email protected] wrote: > >> Might be >> https://www.rapid7.com/db/vulnerabilities/http-options-method-enabled >> >> "Web servers that respond to the OPTIONS HTTP method expose what other >> methods are supported by the web server, allowing attackers to narrow and >> intensify their efforts." >> >> Which feels like a bit of a stretch, it's only a problem if it enables >> other attacks and given the the number of HTTP methods it won't slow down >> any attacker. >> It's a bit like saying "a login form exposes where to input user password >> for a brute-force attack" ;) >> >> On Friday, 30 October 2020 at 09:01:42 UTC [email protected] wrote: >> >>> it gave a cvss score of 2.6 low and highlight that >>> http-options-method-enabled. >>> >>> i could possibly have this waived off, but need to know if it is >>> required or is there anyway I can disable it if it is not critical to be >>> used. >>> On Friday, October 30, 2020 at 4:12:41 PM UTC+8 [email protected] wrote: >>> >>>> What exactly does your security scanner say about OPTIONS on >>>> prometheus? It sounds like a false positive. >>>> >>> -- You received this message because you are subscribed to the Google Groups "Prometheus Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/bde0f163-278e-41fc-9849-fa073176a2d9n%40googlegroups.com.
