HOWTO: Disable HTTP Methods in Apache apache 禁用 options 方法

apache 禁用 options 方法
../bin/apachectl -L 查看所有可用配置指令

RewriteEngine On
RewriteRule .* – [F]

HOWTO: Disable HTTP Methods in Apache
At several points in our careers as web server/site administrators, we will be required to disable certain HTTP methods from the web and app servers we support. The most common reason to disable these methods is due to some security best practice. The traditional way to disable specific HTTP Methods in the Apache web server is with the use of mod_rewrite. mod_rewrite is a rules-based, rewriting engine that can be loaded in the standard apache configuration file or as part of an .htaccess file.

There are a minimum of four components to a mod_rewrite rule; the directive that loads the module, the directive that turns the rewrite engine on, a rewrite condition, and a rewrite rule.

Since mod_rewrite is so commonly used, the directive that loads the module will more likely than not already be present. Search your apache configuraction file(s) for If it is not found, add the following line to your apache configuration file (typically known as httpd.conf):

LoadModule rewrite_module path/to/apache/modules/
To enable the rewrite engine, add the following:

RewriteEngine On The Disable HTTP Methods Rewrite Rule
Since we are looking to disable specific http methods in this HOWTO, our rewrite rule has two components: a condition and the rule to be applied when that condition is met. In this HOWTO, my example rule will disable both HTTP TRACE and HTTP TRACK requests, (even though TRACK isn’t supported by Apache) as well as HTTP OPTIONS requests, (even though disabling HTTP OPTIONS isn’t necessarily a best practice). Below is the rule:

RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS) RewriteRule .* – [F]
The first line in the rule uses a built in server variable called REQUEST_METHOD. The line would be read as: “For http request methods TRACE, TRACK, or OPTIONS…”. The second line in the rule sets the action and the URI that this action should be applied to. The line above would be read as: “forbid access for all URIs”. Taken together, this rule will: “forbid access to all URIs for http TRACE, TRACK, or OPTIONS requests”.

<LimitExcept GET POST>
deny from all

But using above configuration HEAD request is still allowed on web server.
As GET – HEAD both are almost same. But client insisting us to disable HEAD also.

We tried to disable using

<LimitExcept GET POST>
deny from all

<Limit HEAD>
deny from all


电子邮件地址不会被公开。 必填项已用 * 标注

您可以使用这些 HTML 标签和属性: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>