How to Disable HTTP Methods in Apache?
Last Updated :
20 Jun, 2024
To prevent the collection of specific system calls that could offer attackers Windows running Apache servers a backdoor, we can Turn off unwanted HTTP methods on the Apache web server. This increases the security of our web application and prevents unwanted attacks.
Prerequisites
- Apache Installed
- Administrative Access
- Backup Configuration
Steps to disable HTTP methods in Apache
Step 1: Locating Apache Configuration File
The main configuration file for Apache is named httpd.conf.this file is located at the following:
C:\Apache24\conf\httpd.conf
Step 2: Opening httpd.conf File
Using text editor like Notepad open the above file.
Step 3: Uncomment the line
Firstly, unclomment the following line in the apache configuration file opened
#LoadModule access_compat_module modules/mod_access_compat.so
(to)
LoadModule access_compat_module modules/mod_access_compat.so
Step 4: Add or Modify the <Limit> Directive
- add this line first and then proceed further.
TraceEnable off
- To disable specific HTTP methods, you need to use the <Limit> directive in the httpd.conf file. For example, to disable the TRACE and TRACK methods, add the following lines:
<Limit TRACE TRACK>
Order allow,deny
Deny from all
</Limit>
- This configuration tells Apache to deny all requests for the TRACE and TRACK methods. You can disable other methods similarly by listing them within the <Limit> directive.
Step 5: Restrict Methods in Specific Directories if needed
If you want to restrict methods in specific directories, you can use the <Directory> directive. For example, to disable methods in the /var/www/html directory:
<Directory "C:/Apache24/htdocs">
<Limit DELETE>
Order allow,deny
Deny from all
</Limit>
</Directory>
Step 6: Save the Configuration File
- After making the necessary changes, save the httpd.conf file.
Step 7: Restart Apache Server
- For the changes to take effect, you need to restart the Apache server. You can do this through the Apache Service Monitor or by using the command prompt. To restart via the command prompt:
httpd -k restart
httpd -k start
Verifying the Changes
- You can verify that the methods are disabled by using tools like cURL or browser plugins like Postman. For example, to check if the TRACE method is disabled use following commands to check:
Invoke-WebRequest -Uri http://localhost:809 -Method TRACE
- here my domain port is 809 please change to yours. To do so, search port in the httpd file and change the url accordingly.
Output:
trace method is limited as we kep traceEnable offInvoke-WebRequest -Uri http://localhost:809 -Method DELETE
Output:
detele method is limited Invoke-WebRequest -Uri http://localhost:809 -Method GET
Output:
gt method is acceptedConclusion
Disabling HTTP methods in apache enhaces the servers security preventing the acctacks on server. One can easily disable the unwanted methods to a directory or overall server level using the steps provided in this article.
Similar Reads
How To Enable mod_ssl in Apache? The mod_ssl module in Apache allows you to secure the web server with SSL or TLS encryption. This article will show how to enable mod_ssl in apache to ensure the your website handles secure HTTPS connections. PrerequisitesApache HTTP Server.Administrative privileges on the Windows system.A valid SSL
3 min read
How to Enable HTTP/2 protocol support in Apache? HTTP/2 is a significant update to the HTTP protocol. It was created to outperform HTTP 1.1 in terms of performance and latency. The applications operate way faster and more efficiently if we enable HTTP/2 on our Apache server. PrerequisitesApache Version: 2.4.17 or later.OpenSSL Version: Ensure Open
2 min read
How to Enable or Disable Apache Modules? Apache, one of the most widely used web servers, is known for its flexibility and power. This flexibility is largely due to its modular architecture, which allows administrators to enable or disable specific functionalities as needed. Apache modules can extend the core functionality of the server to
3 min read
How to Change Apache HTTP Port in Linux? The Apache HTTP server is one of the internet's most popular web servers today, thanks to its versatility, consistency, and a plethora of features, some of which are actually not available on other web servers, such as Nginx's competitor. Some of Apache's most significant features include the abilit
2 min read
How To Disable Directory Listing in Apache? Disabling Directory Listing in Apache is always a good practice to turn off directory listing in Apache for security reasons. This may allow users who do not have permission to view the contents of directories on your server if an index file, such as index.html, does not exist. This can expose sensi
3 min read