Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to respond to an HTTP OPTIONS request?

Tags:

http

The HTTP OPTIONS method is supposedly used to determine what other methods the server supports on a given resource. Given that, I have two questions:

  • What does this response look like? I have seen examples with CSV lists in Public, Allow, and even Access-Control-Allow-Methods headers. Are they all needed? What's the difference? RFC 2616 doesn't seem to be very helpful here.

  • Would it be appropriate to use this to list the actions that a resource supports in a non-REST-API environment? For example, if my ConversionController supports the action convert, would a response like this make sense:

Request:

OPTIONS /conversion HTTP/1.1 

Response:

HTTP/1.1 200 OK ... Allow: CONVERT ... 
like image 405
FtDRbwLXw6 Avatar asked Aug 13 '12 00:08

FtDRbwLXw6


People also ask

How do I use HTTP options method?

The HTTP OPTIONS method requests permitted communication options for a given URL or server. A client can specify a URL with this method, or an asterisk ( * ) to refer to the entire server.

What should Options Call Return?

The expected return on a call option equals: (expected price of the asset at the expiration date - the strike price) the quantity of the asset the option allows you to buy, minus the price you paid for the option.

What is Options HTTP used for?

The HTTP OPTIONS method is used to describe the communication options for the target resource. This method allows the client to determine the options and/or requirements associated with a resource, or the capabilities of a server, without implying a resource action or initiating a resource retrieval.


2 Answers

RFC 2616 defines "Allow" (http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.14.7). "Public" is not in use anymore. "Access-Control-Allow-Methods" is defined in the CORS specification (see http://www.w3.org/TR/cors/).

like image 92
Julian Reschke Avatar answered Sep 22 '22 14:09

Julian Reschke


What is an HTTP OPTIONS request?

It is a request from the client to know what HTTP methods the server will allow, like GET, POST, etc.

Request

The request might look like this when asking about the options for a particular resource:

OPTIONS /index.html HTTP/1.1 

or like this when asking about the server in general:

OPTIONS * HTTP/1.1 

Response

The response would contain an Allow header with the allowed methods:

Allow: OPTIONS, GET, HEAD, POST 

Why is the server receiving an HTTP OPTIONS request?

  • Some REST APIs need it (but if you are defining the API, you'd know that)
  • Browsers send it to servers as "preflighted" requests to see if the server understands CORS
  • Attackers send it to get more information about the API

How to respond to an HTTP OPTIONS request?

  • You could respond with an Allowed header and even document your API in the body.
  • You could respond with additional CORS defined Access-Control-Request-* headers.
  • You could respond with 405 Method Not Allowed or 501 Not Implemented.

How do I stop getting HTTP OPTIONS requests?

  • If it's coming from a browser then update your API so that it isn't doing anything "dangerous" (like PUT or DELETE, or POST with application/json). Only perform simple requests.

See also

  • RFC 2616 Section 9: Method definitions
  • MDN Web docs: OPTIONS
  • MDN Web docs: Cross-Origin Resource Sharing (CORS)
  • CORS - What is the motivation behind introducing preflight requests?
  • How to exploit HTTP Methods
like image 31
Suragch Avatar answered Sep 23 '22 14:09

Suragch