Narayana Tutorial

Online Java Tutorial Blog

How to disable dangerous http methods in apache tomcat server

How to disable dangerous http methods in apache tomcat server

Some of the http methods are dangerous and using these http methods may easily hack the application like executing the remote script execution, sql injection, click jacking etc…

So dangerous http methods need to be restricted. We need to disable dangerous http method in both Application and Web Server level as follows.

Application Level

By adding the dangerous http methods inside your application web.xml like as follows. You need to add it inside <web-app> tag.

<security-constraint>
        <web-resource-collection>
            <web-resource-name>All JSP direct access</web-resource-name>
            <url-pattern>/*</url-pattern>
            <http-method>PUT</http-method>
            <http-method>DELETE</http-method>
            <http-method>DEBUG</http-method>
            <http-method>HEAD</http-method>
            <http-method>CATS</http-method>
            <http-method>JEFF</http-method>
            <http-method>OPTIONS</http-method>
            <http-method>TRACE</http-method>
            <http-method>MKCOL</http-method>
            <http-method>LOCK</http-method>
        </web-resource-collection>
        <auth-constraint>
            <description>
                No Access
            </description>
        </auth-constraint>
    </security-constraint>

Web Server Level (Tomcat)

By adding the dangerous http methods inside Apache Tomcat Server web.xml as follows. You need to add it inside <web-app> tag.

<security-constraint>
        <web-resource-collection>
            <web-resource-name>All JSP direct access</web-resource-name>
            <url-pattern>/*</url-pattern>
            <http-method>PUT</http-method>
            <http-method>DELETE</http-method>
            <http-method>DEBUG</http-method>
            <http-method>HEAD</http-method>
            <http-method>CATS</http-method>
            <http-method>JEFF</http-method>
            <http-method>OPTIONS</http-method>
            <http-method>TRACE</http-method>
            <http-method>MKCOL</http-method>
            <http-method>LOCK</http-method>
        </web-resource-collection>
        <auth-constraint>
            <description>
                No Access
            </description>
        </auth-constraint>
    </security-constraint>

 

In which, if your application supporting any http method, then you can remove from above list.

 

Narayanaswamy

Hello! I am Narayanaswamy founder and admin of narayanatutorial.com. I have been working in IT industry more than 7 years. NarayanaTutorial is my web technologies blog. My specialties are Java / J2EE, Spring, Hibernate, Struts, Webservices, PHP, Oracle, MySQL, SQLServer, Web Hosting and Website Development.

I am a self learner and passionate about training and writing. I am always trying my best to share my knowledge through my blog.

Leave a Reply

Narayana Tutorial © 2018 Frontier Theme
Show Button
Hide Button