Hello!
An external party performed "security scan" against our web server which
is running version 2.2.29. One of the findings is that OPTIONS directive
is not blocked and I am tasked with fixing this.
Google turns out two popular approaches:
Approach 1:
-------------------------------------
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule .* - [R=405,L]
-------------------------------------
Approach 2:
--------------------
<Location />
<Limit OPTIONS>
Order allow,deny
Deny from all
</Limit>
</Location>
--------------------
I have tried them both, and they nicely block requests such as "OPTIONS
/" or "OPTIONS /whatever". However, the security scan software performs
request "OPTIONS *". To that, Apache still responds with error code 200.
It is obvious why this happens with second method, so I tried
<LocationMatch .*> instead of <Location />. No difference.
How can I block requests to "OPTIONS *" so that response would be
something with 4xx error?
--
Toomas Aas | support engineer
www.reach-u.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
