Control Request Methods

Category: Blog • Posted by Jeff Starr • Updated:

Sites hosted on Apache servers can accept a wide range of request methods. For example, most developers are familiar with GET and POST requests. Other request methods are less common, such as DELETE, HEAD, and PUT. While many types of request methods are harmless or even beneficial, some of them are just unnecessary and serve to increase the overall security liability of your site. This post explains how to lock things down by blocking or allowing only specific types of HTTP requests.

Blocking Request Methods

This technique blocks some request methods that most sites never use. Why block them? Because they may be used by teh bad guys to scan and covertly attack your site. Think of these request types as hidden doors to your house that none of your friends use or even know about. But that pathetic loser down the street knows all about the hidden doors, and uses them for his evil schemes. You don’t it want it, bro.

To lock the doors, you can add the following .htaccess snippet to your site’s root .htaccess file:

RewriteRule .* - [F,L]

This snippet blocks all of the following requests methods:

  • MOVE
  • PUT

Important: before implementing this technique, make sure that your site does not rely on any of these blocked request methods. Most don’t, but you want to be sure. Ask your host or local expert if in doubt.

Allowing Request Methods

Whereas the previous technique blacklists undesirable request methods, this technique takes the opposite approach and whitelists desirable request methods. Here is the magically delicious code snippet:

RewriteRule .* - [F,L]

After adding to your site’s root .htaccess file, this snippet will block any request that is not of the following methods:

  • GET
  • HEAD
  • POST
  • PUT

Again, before implementing this technique, make sure that your site does not rely on any methods that are not on this list.

To get even more hardcore, you can force GET and POST requests for even greater security. But again, only do so if you are 100% sure that no other methods are required. Static HTML sites generally are good candidates for this level of protection.