apache nginx tomcat iis 禁用OPTIONS TRACE不安全方法

OneOne 2018-01-08 AM 7253℃ 0条

一、Apache

使用Apache的重写规则来禁用Options方法和Trace方法

在Apache配置文件httpd-conf中【vhosts-conf】添加以下代码:

单独禁用Trace方法:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

单独禁用Options方法:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(OPTIONS)
RewriteRule .* - [F]

同时禁用Trace方法和Options方法

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)
RewriteRule .* - [F]
<VirtualHost *:80>
    DocumentRoot "D:\wwwroot"
    ServerName www.abc.com
    ServerAlias abc.com
  <Directory "D:\wwwroot">
      Options FollowSymLinks ExecCGI
      AllowOverride All
      Order allow,deny
      Allow from all
      Require all granted
      RewriteEngine on
      RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)
      RewriteRule .* - [F]
  </Directory>
</VirtualHost>

二、Nginx

在你要屏蔽的虚拟主机的server段里加入下面代码:

if ($request_method !~* GET|POST) {
            return 403;
        }

重启nginx,这样就屏蔽GET、POST、之外的HTTP方法

三、Tomcat

找到conf下web.xml(配置文件末尾</web-app>前添加下面配置)(url下禁用的请求方式)

<security-constraint>  
        <web-resource-collection>  
            <url-pattern>/*</url-pattern>  
            <http-method>PUT</http-method>  
            <http-method>DELETE</http-method>  
            <http-method>HEAD</http-method>  
            <http-method>OPTIONS</http-method>  
            <http-method>TRACE</http-method>  
        </web-resource-collection>  
        <auth-constraint>  
        </auth-constraint>  
    </security-constraint>  

四、IIS

禁用WebDAV功能

标签: OPTIONS, TRACE

非特殊说明,本博所有文章均为博主原创。

评论啦~