Why is HTTP Options request insecure
13,986
HTTP Options verb can divulge config / debug data on your Web server and as such should only be permitted if it's legitimately needed. Read this post on security stack exchange
https://security.stackexchange.com/questions/21413/how-to-exploit-http-methods
REST APIs make use of Options and I believe it should remain enabled.
Author by
dogfish
Updated on July 20, 2022Comments
-
dogfish almost 2 years
I recently heard from a security audit that HTTP Options is insecure in general and the web-server should not allow it. Can someone explain the reasons why is it so ?
-
Christopher Schultz over 7 yearsConfusing: "rarely used nowadays for legitimate purposes" and "several legitimate purposes nowadays" in the same answer, and not an update posted years after the fact. Try to be more clear.
-
Christopher Schultz over 7 years
OPTIONS
is also used by theWebDAV
protocol. -
TJ_ over 7 years"not an update posted years after the fact" right, because HTTP methods are rapidly changing and are completely different than they were in 2013.
-
Christopher Schultz over 7 years@TJ_yesterday What I meant was that you contradicted yourself in a single posting, not adding an edit years later with conflicting information due to a change in the spec or general environment.
-
bruno_cw over 4 yearsIm not entirely confident on it being "rarely used"