I recently heard from a security audit that HTTP Options is insecure in general and the web-server should not allow it. Can someone explain the reasons why is it so ?

HTTP Options verb can divulge config / debug data on your Web server and as such should only be permitted if it's legitimately needed. Read this post on security stack exchange https://security.stackexchange.com/questions/21413/how-to-exploit-http-methods REST APIs make use of Options and I believe it should remain enabled.

Why is HTTP Options request insecure

1 Answers

HTTP Options verb can divulge config / debug data on your Web server and as such should only be permitted if it's legitimately needed. Read this post on security stack exchange

https://security.stackexchange.com/questions/21413/how-to-exploit-http-methods

REST APIs make use of Options and I believe it should remain enabled.

116

answered Oct 14 '22 17:10

iainpb

Recent Activity
Apple Pay - authorize.net returns error 153 only when live, sandbox works
How to continue cursor loop even error occured in the loop
python find all neighbours of a given node in a list of lists
Fatal error: Call to a member function setColumn() on a non-object in Magento
Count how many of each value from a field with MySQL and PHP
Python 32-bit development on 64-bit Windows [closed]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!

Donate Us With

Why is HTTP Options request insecure

Tags:

rest

http

tomcat

dogfish

1 Answers

iainpb

Recent Activity

Donate For Us

Why is HTTP Options request insecure

Tags:

rest

http

tomcat

dogfish

1 Answers

iainpb

Related questions

Recent Activity

Donate For Us