Disable HTTP methods
We can block the use of HTTP methods to request local or remote resources to reduce security vulnerability.
Modify the WebSEAL configuration file to disable specific HTTP methods.
- Use the http-method-disabled-local stanza entry in the [server] stanza to disable the use of specific methods to request resources over a local junction.
- Use the http-method-disabled-remote stanza entry in the [server] stanza to disable the use of specific methods to request remote resources. We can use a comma (,) to separate multiple methods. For example, the following configuration entry blocks access to the TRACE and PUT methods over local junctions:
[server] http-method-disabled-local = TRACE,PUTBy default, WebSEAL disables the TRACE, PUT, DELETE, CONNECT methods. The default values for these configuration entries are as follows:
[server] http-method-disabled-local = TRACE,PUT,DELETE,CONNECT http-method-disabled-remote = TRACE,PUT,DELETE,CONNECT
We can enable a blocked method by removing the method name from these two entries in the WebSEAL configuration file.
To enable all HTTP methods for local responses, set the following entry:
[server] http-method-disabled-local =
To enable all HTTP methods for junctioned responses, set the following entry:
[server] http-method-disabled-remote =
Parent topic: Web server security configuration
Related concepts
- Cryptographic hardware for encryption and key storage
- Prevention of vulnerability caused by cross-site scripting
- Prevention of Cross-site Request Forgery (CSRF) attacks
- Suppression of WebSEAL and back-end server identity
- Platform for Privacy Preferences (P3P)
Related tasks