How To Disable The Vulnerability of Options Method in IIS and Apache

How To Disable The Vulnerability of Options Method in IIS and Apache

Options are analytical protocols commonly utilized to repair and clear up these web servers. It is an HTTP system that mainly specifies the HTTP Methods permitted on a web server. However, it is not commonly used to perform a reasonable task on the server. Most frequently, it serves as a crack that lets attackers have an easy way to launch an attack. It is thus, recommended to block that possible access by disabling the Options method.

How to close that loophole and secure your server

The best way to handle this issue is to disable the OPTIONS method. This article tells you what you need to do and steps you ought to follow to disable it.

Different Ways to disable Options

There are different ways to disable options. These differ based on the type and version of the web server.

How to disable options in New versions of IIS

To disable options in IIS, disallow the OPTIONS verb out of the rulings of HTTP Verb Request Filtering in IIS. To do this, follow these steps:

Step 1: Click to Open IIS Manager.

Step 2: Click on the name of the appliance to set it up globally. Alternatively, alter the particular website that you are setting this up for.

Step 3: Click on “RequestFiltering” twice.

Step 4: Alter the button of HTTP Verbs.

Step 5: Visit the Actions panel and choose “Deny Verb“.

Step 6: Integrate ‘OPTIONS’ in the Verb, and click on OK to save the alterations you just made.

How to disable options in old versions of IIS

Step 1: Go to IIS Manager and right click on the website and click on Properties.

Step 2: Change to the Home Directory, and hit on the Configuration tab.

Step 3: This displays a list of app extensions. Find the extension that is being utilized by your web app and click on Edit.

Step 4: When the window displays, go to the Limit To field and select the system that you want to enable and delete the remaining that are not required.

How to disable options in Apache

The standard way to disable particular HTTP process in the Apache web server is through mod rewrite. Mod rewrite is a statutes-dependent, rewriting engine which can be loaded in the typical apache set up file. The rewriting machine can as well loaded as section of an .htaccess file. The least amount of elements to a mod_rewrite decree or ruling is four. These are; the commands that display the module, the commands that alter the rewrite machine on, a rewrite order, and a rewrite ruling.

Follow the step below to implement this:

Step 1: Check the Apache setup file

Look inside your apache set up file(s) to see if you can locate the mod_rewrite.so. If you do not locate it, integrate the command line into your apache set up file commonly referred to as httpd.conf):

LoadModule rewrite_module /usr/lib/apache2/modules/mod_rewrite.so

Step 2: Enable a rewrite machine

To allow the rewrite machine, implement this code: RewriteEngineOn

Step 3: Disable Option

To disable option, implement this code:

RewriteCond%{REQUEST_METHOD} ^OPTIONS
RewriteRule .* - [F]
i.e.,
RewriteEngineOn
RewriteCond%{REQUEST_METHOD} ^OPTIONS
RewriteRule .* - [F]

Steps 4: Configure flags

At this stage, you need to configure Flags.Configure [F] to stand for not allowed query. In the same way, configure [R] to represent the redirection of the page.

It is essential to let you know at this point that pre-set rewrite setups are not transferred between virtual servers. Incorporate RewriteEngine into every individual virtual host.

How to disable options in Apache Tomcat

In Apache Tomcat, security is improved through security constraints structured into the Java Servlet arrangement. These are not present inside the main server.xml file found in tomcat but inside the web.xml configuration file.

webapps/theAPP/WEB-INF/web.xml

// Sample Security Constraint
<security-constraint>
<web-resource-collection>
<web-resource-name>
<strong>restricted methods</strong>
</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>

 

Check out the top 3 Best web hosting services

Hostinger
AU$4.66 /mo
Starting price
Visit Hostinger
Rating based on expert review
  • User Friendly
    4.7
  • Support
    4.7
  • Features
    4.8
  • Reliability
    4.8
  • Pricing
    4.7
IONOS
AU$1.56 /mo
Starting price
Visit IONOS
Rating based on expert review
  • User Friendly
    4.5
  • Support
    4.0
  • Features
    4.5
  • Reliability
    4.5
  • Pricing
    4.3
Ultahost
AU$4.52 /mo
Starting price
Visit Ultahost
Rating based on expert review
  • User Friendly
    4.3
  • Support
    4.8
  • Features
    4.5
  • Reliability
    4.0
  • Pricing
    4.8
  • Click this link and all your queries to best hosting will end.

How to Install MySQL on a Windows Web Server Running Apache

This tutorial will show you how to install the MySQL database on a Windows serve
3 min read
Michael Levanduski
Michael Levanduski
Expert Hosting Writer & Tester

How to Configure Nginx and Apache on the same Ubuntu VPS or Dedicated Server

Nginx and Apache are great and powerful web servers. However, they both have dra
2 min read
Idan Cohen
Idan Cohen
Marketing Expert

How to Harden the Apache web server on a CentOS 7 VPS or Dedicated Server

In this how-to article, we illustrate how to harden an Apache web server, runnin
2 min read
Eliran Ouzan
Eliran Ouzan
Web Designer & Hosting Expert

How to Install OpenCart on an Ubuntu 18.04 Server or VPS with Apache, MariaDB and PHP 7

In this how-to, you'll learn how to install OpenCart, an open source shopping ca
3 min read
Angela Olaru
Angela Olaru
Senior Writer & Hosting Expert
HostAdvice.com provides professional web hosting reviews fully independent of any other entity. Our reviews are unbiased, honest, and apply the same evaluation standards to all those reviewed. While monetary compensation is received from a few of the companies listed on this site, compensation of services and products have no influence on the direction or conclusions of our reviews. Nor does the compensation influence our rankings for certain host companies. This compensation covers account purchasing costs, testing costs and royalties paid to reviewers.
Click to go to the top of the page
Go To Top