How to disable dangerous http methods in apache tomcat server
Some of the http methods are dangerous and using these http methods may easily hack the application like executing the remote script execution, sql injection, click jacking etc…
So dangerous http methods need to be restricted. We need to disable dangerous http method in both Application and Web Server level as follows.
Application Level
By adding the dangerous http methods inside your application web.xml like as follows. You need to add it inside <web-app> tag.
<security-constraint> <web-resource-collection> <web-resource-name>All JSP direct access</web-resource-name> <url-pattern>/*</url-pattern> <http-method>PUT</http-method> <http-method>DELETE</http-method> <http-method>DEBUG</http-method> <http-method>HEAD</http-method> <http-method>CATS</http-method> <http-method>JEFF</http-method> <http-method>OPTIONS</http-method> <http-method>TRACE</http-method> <http-method>MKCOL</http-method> <http-method>LOCK</http-method> </web-resource-collection> <auth-constraint> <description> No Access </description> </auth-constraint> </security-constraint>
Web Server Level (Tomcat)
By adding the dangerous http methods inside Apache Tomcat Server web.xml as follows. You need to add it inside <web-app> tag.
<security-constraint> <web-resource-collection> <web-resource-name>All JSP direct access</web-resource-name> <url-pattern>/*</url-pattern> <http-method>PUT</http-method> <http-method>DELETE</http-method> <http-method>DEBUG</http-method> <http-method>HEAD</http-method> <http-method>CATS</http-method> <http-method>JEFF</http-method> <http-method>OPTIONS</http-method> <http-method>TRACE</http-method> <http-method>MKCOL</http-method> <http-method>LOCK</http-method> </web-resource-collection> <auth-constraint> <description> No Access </description> </auth-constraint> </security-constraint>
In which, if your application supporting any http method, then you can remove from above list.
Hello! I am Narayanaswamy founder and admin of narayanatutorial.com. I have been working in the IT industry for more than 12 years. NarayanaTutorial is my web technologies blog. My specialties are Java / J2EE, Spring, Hibernate, Struts, Webservices, PHP, Oracle, MySQL, SQLServer, Web Hosting, Website Development, and IAM(ForgeRock) Specialist
I am a self-learner and passionate about training and writing. I am always trying my best to share my knowledge through my blog.