Why is HTTP Options request insecure

rest http tomcat
13,986

HTTP Options verb can divulge config / debug data on your Web server and as such should only be permitted if it's legitimately needed. Read this post on security stack exchange

https://security.stackexchange.com/questions/21413/how-to-exploit-http-methods

REST APIs make use of Options and I believe it should remain enabled.

Share:
13,986
dogfish
Author by

dogfish

Updated on July 20, 2022

Comments

  • dogfish
    dogfish almost 2 years

    I recently heard from a security audit that HTTP Options is insecure in general and the web-server should not allow it. Can someone explain the reasons why is it so ?

  • Christopher Schultz
    Christopher Schultz over 7 years
    Confusing: "rarely used nowadays for legitimate purposes" and "several legitimate purposes nowadays" in the same answer, and not an update posted years after the fact. Try to be more clear.
  • Christopher Schultz
    Christopher Schultz over 7 years
    OPTIONS is also used by the WebDAV protocol.
  • TJ_
    TJ_ over 7 years
    "not an update posted years after the fact" right, because HTTP methods are rapidly changing and are completely different than they were in 2013.
  • Christopher Schultz
    Christopher Schultz over 7 years
    @TJ_yesterday What I meant was that you contradicted yourself in a single posting, not adding an edit years later with conflicting information due to a change in the spec or general environment.
  • bruno_cw
    bruno_cw over 4 years
    Im not entirely confident on it being "rarely used"

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

In Flutter how I can fetch data inside a JASON with API and GetX
How to solve insecure http not allowed by platform flutter?
What is the best practice to get data from two different http end points?
Dio options.contentType vs header "Content-Type"
Get Access Token with REST API in flutter/dart
Which HTTP status code to use to reject a PUT due to optimistic locking failure
How to set MediaType to UTF-8 in restTemplate with json format
Yii2 and handling exceptions
HTTP 200 or 404 for empty list?
HATEOAS Rel - Any Standards Yet?