This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

What is HTTP OPTIONS Method

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

What is HTTP OPTIONS Method

Go to solution
ZEBIT
L3 Networker

‎07-08-2014 05:32 AM

Hi,

In our ACC I can see that the status bar is 3.7, thanks to the vulnerability HTTP OPTIONS Method. The problem is that I have no idea what this is and how I can fix this.
How can I fix this problem?

1 accepted solution

Accepted Solutions

Go to solution
pulukas
L7 Applicator

‎07-08-2014 09:52 AM

As Dave mentioned, you would need to turn this off on the web server.

With Microsoft IIS you would use user request filtering to remove the options keyword.

Use Request Filtering : The Official Microsoft IIS Site

You may also be interesting in the MS Technet article on hardening production IIS servers and the lockdown tool.

Security Guidance for IIS

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

View solution in original post

3 REPLIES 3

Go to solution
DaveCorwin
Not applicable

‎07-08-2014 06:39 AM

OPTIONS Method

The OPTIONS method is used by the client to find out what are the HTTP methods and other options supported by a web server. The client can specify a URL for the OPTIONS method, or an asterisk (*) to refer to the entire server. The following example request a list of methods supported by a web server running on tutorialspoint.com:

OPTIONS * HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

HTTP Methods

________________

How to fix the issue:

From what I have researched, I believe you can only configure your web servers to not allow this method. There is nothing on the firewall that can be done.

Go to solution
pulukas
L7 Applicator

‎07-08-2014 09:52 AM

As Dave mentioned, you would need to turn this off on the web server.

With Microsoft IIS you would use user request filtering to remove the options keyword.

Use Request Filtering : The Official Microsoft IIS Site

You may also be interesting in the MS Technet article on hardening production IIS servers and the lockdown tool.

Security Guidance for IIS

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Go to solution
hshah
L6 Presenter
In response to pulukas

‎07-08-2014 10:30 AM

Good one Steven ....

0 Likes Likes
  • 1 accepted solution
  • 7415 Views
  • 3 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks