Disabled HTTP methods on Heroku

Question

I have a Ruby on Rails application that is being hosted on Heroku.

For a security review to allow our application, we've been told to disable a number of HTTP methods.

"The application web server must be configured to disable the TRACE and other HTTP methods if not being used."

Is this possible with Heroku? If not, is there a way to disable these methods on the application level?

Answer 1

On the application level, you could add this in your application_controller.rb file

  before_filter :reject_methods

  def reject_methods
    if ['TRACE','PATCH'].include?(request.method)
      #raise ActionController::RoutingError.new('Not Found')
      raise ActionController::MethodNotAllowed.new('Method not allowed')  #405
      # or whatever you want to do (redirect, error message, ...)
    end
  end

Or you could try with https://github.com/jtrupiano/rack-rewrite (check the arbitrary rewriting) with something like this (not tested) :

rewrite %r{(.*)}, lambda { |match, rack_env|
  rack_env["REQUEST_METHOD"] == "TRACE" ? "405.html" : match[1]
}

Or you could use you own middleware by putting this in a file ./lib:

module Rack

class RejectMethods
  def initialize(app)
    @app = app
  end

  def call(env)
    status, headers, body = @app.call(env)

    if env["REQUEST_METHOD"] == "TRACE" || env["REQUEST_METHOD"] == "PATCH"
      body.close if body.respond_to? :close
      [status, headers, []]
    else
      [status, headers, body]
    end
  end
end

end

and call it in application.rb

config.autoload_paths += %W(#{config.root}/lib)

config.middleware.use "RejectMethods"