5.7 Ensure HTTP Request Methods Are Restricted - 'Require all denied'

Information

Use the Apache '
* ' directive to restrict unnecessary HTTP request methods of the web server so it only accepts and processes the 'GET', 'HEAD', 'POST' and 'OPTIONS' HTTP request methods.

Rationale:

The HTTP 1.1 protocol supports several request methods which are rarely used and potentially high risk. For example, methods such as 'PUT' and 'DELETE' are rarely used and should be disabled in keeping with the security principle of minimizing features and options. Also, since these methods are typically used to modify resources on the web server, they should be explicitly disallowed. For normal web server operation, you will typically need to allow only the 'GET', 'HEAD' and 'POST' request methods. This will allow for downloading web pages and submitting information to web forms. The 'OPTIONS' request method will also be allowed as it is used to request which HTTP request methods are allowed. Unfortunately, the Apache '
* ' directive does not deny the 'TRACE' request method. The 'TRACE' request method is disallowed in another benchmark recommendation with the 'TraceEnable' directive.

Solution

Perform the following to implement the recommended state:

1. Locate the Apache configuration files and included configuration files.
2. Search for the directive on the document root directory, such as:

<Directory "/usr/local/apache2/htdocs">
...
</Directory>

3. Ensure that the access control order within the '<Directory>' directive is 'deny,allow'.

Order allow,deny

4. Add a directive as shown below within the group of document root directives.

# Limit HTTP methods to standard methods. Note: Does not limit TRACE
<LimitExcept GET POST OPTIONS>
Deny from all
</LimitExcept>

5. Search for other directives in the Apache configuration files in places other than the root directory, and add the same directives to each. It is very important to understand that the directives are based on the OS file system hierarchy as accessed by Apache and not the hierarchy of the locations within web site URLs.

<Directory "/usr/local/apache2/cgi-bin">
...
Order allow,deny
# Limit HTTP methods
<LimitExcept GET POST OPTIONS>
Deny from all
</LimitExcept>
</Directory>

See Also

https://workbench.cisecurity.org/files/2378

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-4, CSCv6|9.1, CSCv7|9.2

Plugin: Unix

Control ID: 5254cb2747c608d550ccecfd60299ed54daba2995b6e8996bee567d627e55ce1