So our security audit claims that I have to shutdown all Apache httpd methods but POST, GET and HEAD. I went to the Apache documentation and they claim you should use LimitExcept. Sounds great right, so I tried using it in all the places they allow, but it doesn't work anywhere I put it. After scouring the web I have just given up and used something really simple:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(?!POST|GET|HEAD)
RewriteRule .* - [F]
Works great (with the minor performance cost)... I wish Apache would just fix LimitExcept so it could be global. Some of us don't use Directory entries like they expect.
Just thought I'd post though so that others may not have to suffer the same waste of time as myself.
Wednesday, February 1, 2012
Subscribe to:
Posts (Atom)