Block HTTP Methods: Security Best Practice

TL;DR

Yes, blocking unwanted HTTP methods (HEAD, TRACE, DELETE, TRACK) is a good security practice. It reduces your server’s attack surface by disabling features rarely needed but potentially exploitable.

Why Block These Methods?

• HEAD: Used to retrieve only the headers of a resource. While generally harmless, it can reveal information about your server and application setup.
• TRACE: Allows sending a request along with its original content back to the client. This is often used for debugging but can be exploited in Cross-Site Scripting (XSS) attacks or to discover hidden headers.
• DELETE: Used to delete a resource. If not properly secured, it could allow unauthorized users to remove data.
• TRACK: A non-standard method sometimes used for web analytics; rarely needed and potentially misused.

How to Block HTTP Methods

The method for blocking these depends on your web server software.

1. Apache

1. Edit your virtual host configuration file (e.g., /etc/apache2/sites-available/your_site.conf).
2. Add the following lines within the <Directory> block:

   
   Options -HEAD -TRACE DELETE TRACK
   

3. Restart Apache:

   sudo systemctl restart apache2

2. Nginx

1. Edit your server block configuration file (e.g., /etc/nginx/sites-available/your_site).
2. Add the following lines within the server { ... } block:

   if ($request_method ~ ^(HEAD|TRACE|DELETE|TRACK)$) {
     return 405; 
   }
   

3. Restart Nginx:

   sudo systemctl restart nginx

3. Microsoft IIS

1. Open IIS Manager.
2. Select your website or application.
3. Double-click “Request Filtering”.
4. In the “Hidden Methods” section, click “Add Hidden Method…”.
5. Enter HEAD, TRACE, DELETE and TRACK one at a time, then click OK.

4. Node.js (Express)

1. Use middleware to handle unwanted methods:

   const express = require('express');
   const app = express();
   
   app.use((req, res, next) => {
     if (['HEAD', 'TRACE', 'DELETE', 'TRACK'].includes(req.method)) {
       return res.status(405).send('Method Not Allowed');
     } else {
       next();
     }
   });
   

Testing the Block

1. Use a tool like curl to test if the methods are blocked. For example:

   curl -X HEAD http://yourdomain.com/somepage
   curl -X TRACE http://yourdomain.com/somepage
   curl -X DELETE http://yourdomain.com/somepage
   curl -X TRACK http://yourdomain.com/somepage
   

2. You should receive a 405 Method Not Allowed error for each blocked method.

Important Considerations

• Review your application: Ensure blocking these methods doesn’t break any legitimate functionality.
• Web Application Firewall (WAF): Consider using a WAF for more comprehensive cyber security protection, including HTTP method filtering and other attack mitigation techniques.