You can block the use of HTTP methods to request local or remote
resources to reduce security vulnerability.
About this task
Modify the WebSEAL configuration file to disable specific HTTP methods.
Procedure
-
Use the http-method-disabled-local stanza entry in the
[server] stanza to disable the use of specific methods to request resources over
a local junction.
-
Use the http-method-disabled-remote stanza entry in the
[server] stanza to disable the use of specific methods to request remote
resources.
You can use a comma (
,) to separate multiple methods. For example, the following
configuration entry blocks access to the TRACE and PUT methods over local
junctions:
[server]
http-method-disabled-local = TRACE,PUT
By default, WebSEAL disables the TRACE, PUT, DELETE, CONNECT methods. The default
values for these configuration entries are as
follows:
[server]
http-method-disabled-local = TRACE,PUT,DELETE,CONNECT
http-method-disabled-remote = TRACE,PUT,DELETE,CONNECT
Note:
You can enable a blocked method by removing the method name from these two
entries in the WebSEAL configuration file.
To enable all HTTP methods for local responses, set the following entry:
[server]
http-method-disabled-local =
To enable all HTTP methods for junctioned responses, set the following entry:
[server]
http-method-disabled-remote =