Apache LimitExcept only to GET and POST methods

Question

I have the current configuration in my httpd.conf file.I am trying to remove the vulnerability Authentication Bypass Using HTTP Verb Tampering. I only want to allow certain HTTP request headers, Get and Post in the below example and a different header should throw an error.

DocumentRoot "c:/dev"
<Directory "C:/dev">
    Options Indexes FollowSymLinks MultiViews Includes
    AllowOverride Limit
    <LimitExcept GET POST>
      Order deny,allow
     Deny from all
    </LimitExcept>
    Order allow,deny
    Allow from all
</Directory>

This configuration is still allowing other http request headers like put, options etc. I am using postman api to test my changes. Please help!

Answer 1

This is how you can limit to GET/POST/OPTIONS. Note: NIST Stigs V-26396 states that this should not be applied to the root but only the others such as in my example (/etc/apache2/apache2.conf):

It appears that this would work as well :

<Location /var/www/>
        Order allow,deny
        Allow from all
        <LimitExcept POST GET>
           Deny from all
        </LimitExcept>
</Location>

<Location /usr/share/>
        Order allow,deny
        Allow from all
        <LimitExcept POST GET>
           Deny from all
        </LimitExcept>
</Location>

Further reading :

• https://vaulted.io/library/disa-stigs-srgs/apache_22_server_for_unix_security_technical_implementation_guide/V-26396
• http://httpd.apache.org/docs/current/mod/core.html#limitexcept