https://live.paloaltonetworks.com/t5/general-topics/what-is-http-options-method/m-p/20217#M14712 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>In our ACC I can see that the status bar is 3.7, thanks to the vulnerability HTTP OPTIONS Method. The problem is that I have no idea what this is and how I can fix this. <BR />How can I fix this problem?</P></BODY></HTML> Tue, 08 Jul 2014 12:32:31 GMT ZEBIT 2014-07-08T12:32:31Z https://live.paloaltonetworks.com/t5/general-topics/what-is-http-options-method/m-p/20217#M14712 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>In our ACC I can see that the status bar is 3.7, thanks to the vulnerability HTTP OPTIONS Method. The problem is that I have no idea what this is and how I can fix this. <BR />How can I fix this problem?</P></BODY></HTML> Tue, 08 Jul 2014 12:32:31 GMT https://live.paloaltonetworks.com/t5/general-topics/what-is-http-options-method/m-p/20217#M14712 ZEBIT 2014-07-08T12:32:31Z https://live.paloaltonetworks.com/t5/general-topics/what-is-http-options-method/m-p/20218#M14713 <HTML><HEAD></HEAD><BODY><H2>OPTIONS Method</H2><P>The OPTIONS method is used by the client to find out what are the HTTP methods and other options supported by a web server. The client can specify a URL for the OPTIONS method, or an asterisk (*) to refer to the entire server. The following example request a list of methods supported by a web server running on tutorialspoint.com:</P><PRE class="result">OPTIONS * HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT) </PRE><P><A href="http://www.tutorialspoint.com/http/http_methods.htm" title="http://www.tutorialspoint.com/http/http_methods.htm">HTTP Methods</A></P><P>________________</P><P>How to fix the issue:</P><P></P><P>From what I have researched, I believe you can only configure your web servers to not allow this method. There is nothing on the firewall that can be done. </P></BODY></HTML> Tue, 08 Jul 2014 13:39:39 GMT https://live.paloaltonetworks.com/t5/general-topics/what-is-http-options-method/m-p/20218#M14713 DaveCorwin 2014-07-08T13:39:39Z https://live.paloaltonetworks.com/t5/general-topics/what-is-http-options-method/m-p/20219#M14714 <HTML><HEAD></HEAD><BODY><P>As Dave mentioned, you would need to turn this off on the web server.</P><P></P><P>With Microsoft IIS you would use user request filtering to remove the options keyword.</P><P></P><P><A href="http://www.iis.net/learn/manage/configuring-security/use-request-filtering" title="http://www.iis.net/learn/manage/configuring-security/use-request-filtering">Use Request Filtering : The Official Microsoft IIS Site</A></P><P></P><P>You may also be interesting in the MS Technet article on hardening production IIS servers and the lockdown tool.</P><P></P><P><A href="http://technet.microsoft.com/en-us/library/dd450371%28v=ws.10%29.aspx" title="http://technet.microsoft.com/en-us/library/dd450371%28v=ws.10%29.aspx">Security Guidance for IIS</A></P></BODY></HTML> Tue, 08 Jul 2014 16:52:23 GMT https://live.paloaltonetworks.com/t5/general-topics/what-is-http-options-method/m-p/20219#M14714 pulukas 2014-07-08T16:52:23Z https://live.paloaltonetworks.com/t5/general-topics/what-is-http-options-method/m-p/20220#M14715 <HTML><HEAD></HEAD><BODY><P>Good one Steven ....</P></BODY></HTML> Tue, 08 Jul 2014 17:30:58 GMT https://live.paloaltonetworks.com/t5/general-topics/what-is-http-options-method/m-p/20220#M14715 hshah 2014-07-08T17:30:58Z