Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

"Disable HTTP OPTIONS method" Documentation #12562

Open
georgethemarmot opened this issue Nov 22, 2024 · 2 comments
Open

"Disable HTTP OPTIONS method" Documentation #12562

georgethemarmot opened this issue Nov 22, 2024 · 2 comments

Comments

@georgethemarmot
Copy link

georgethemarmot commented Nov 22, 2024

Jetty version(s)
All supported versions

Enhancement Description
Please document a clear solution on how to disable the http options method

ref. #5909

@joakime
Copy link
Contributor

joakime commented Nov 22, 2024

Jetty 9 is at End of Open Source Community Support

Please upgrade to a supported version of Jetty (Jetty 12.0.x at this point in time) and try again.

@joakime
Copy link
Contributor

joakime commented Nov 22, 2024

As for disabling OPTIONS in general.

That's actually not recommended when working with Modern Web Browsers (Chrome, Firefox, Edge, and all mobile browsers).
You will break the efforts of those browsers to determine Cross-Origin-Resource-Sharing (CORS) for the resources on your website.

If you have a security auditing tool telling you that OPTIONS is a risk, you should challenge that assertion as ancient. (There was a time, back in the late 1990's, before CORS existed, where OPTIONS was viewed as exposing too much information about the request target or server. But that is absolutely not true in the modern era.)

See this answer from 2020 on the Information Security Stackexchange website.

https://security.stackexchange.com/questions/225325/is-the-http-method-options-secure-nowadays

It talks about how OWASP handles various HTTP methods for purposes of security.
The linked to page on that answer has been constantly been kept up to date.
The newest version of that page also does not consider OPTIONS as a vulnerability, and points out it's crucial role in CORS.

As for how, the recommendations in #5909 still apply.

If you are attempting to disable OPTIONS * (HTTP absolute form) then the constraint must exist on a webapp deployed to ROOT / context-path and the constraint url-pattern must be /. - but be aware that this disables all HTTP request target.
Any other request target for OPTIONS (HTTP origin form) then the constraint should include the appropriate url-pattern against the webapp in question.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants