How to disable dangerous http methods in apache tomcat server

OWASP
Comments

How to disable dangerous http methods in apache tomcat server

Some of the http methods are dangerous and using these http methods may easily hack the application like executing the remote script execution, sql injection, click jacking etc…

So dangerous http methods need to be restricted. We need to disable dangerous http method in both Application and Web Server level as follows.

Application Level

By adding the dangerous http methods inside your application web.xml like as follows. You need to add it inside <web-app> tag.

<security-constraint>
        <web-resource-collection>
            <web-resource-name>All JSP direct access</web-resource-name>
            <url-pattern>/*</url-pattern>
            <http-method>PUT</http-method>
            <http-method>DELETE</http-method>
            <http-method>DEBUG</http-method>
            <http-method>HEAD</http-method>
            <http-method>CATS</http-method>
            <http-method>JEFF</http-method>
            <http-method>OPTIONS</http-method>
            <http-method>TRACE</http-method>
            <http-method>MKCOL</http-method>
            <http-method>LOCK</http-method>
        </web-resource-collection>
        <auth-constraint>
            <description>
                No Access
            </description>
        </auth-constraint>
    </security-constraint>

Web Server Level (Tomcat)

By adding the dangerous http methods inside Apache Tomcat Server web.xml as follows. You need to add it inside <web-app> tag.

<security-constraint>
        <web-resource-collection>
            <web-resource-name>All JSP direct access</web-resource-name>
            <url-pattern>/*</url-pattern>
            <http-method>PUT</http-method>
            <http-method>DELETE</http-method>
            <http-method>DEBUG</http-method>
            <http-method>HEAD</http-method>
            <http-method>CATS</http-method>
            <http-method>JEFF</http-method>
            <http-method>OPTIONS</http-method>
            <http-method>TRACE</http-method>
            <http-method>MKCOL</http-method>
            <http-method>LOCK</http-method>
        </web-resource-collection>
        <auth-constraint>
            <description>
                No Access
            </description>
        </auth-constraint>
    </security-constraint>

 

In which, if your application supporting any http method, then you can remove from above list.

 

Related Posts

Leave a Reply