Hello!An external party performed "security scan" against our web server which is running version 2.2.29. One of the findings is that OPTIONS directive is not blocked and I am tasked with fixing this.
Google turns out two popular approaches:
Approach 1:
-------------------------------------
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule .* - [R=405,L]
-------------------------------------
Approach 2:
--------------------
<Location />
<Limit OPTIONS>
Order allow,deny
Deny from all
</Limit>
</Location>
--------------------
I have tried them both, and they nicely block requests such as "OPTIONS
/" or "OPTIONS /whatever". However, the security scan software performs
request "OPTIONS *". To that, Apache still responds with error code 200.
It is obvious why this happens with second method, so I tried <LocationMatch .*> instead of <Location />. No difference.
How can I block requests to "OPTIONS *" so that response would be something with 4xx error?
-- Toomas Aas | support engineer www.reach-u.com --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|