[WEB SECURITY] about http method

Monty Ree chulmin2 at hotmail.com
Wed Jun 8 00:26:55 EDT 2005


Hello, all.

Some documents say "Please limit httpd method at httpd.conf to improve 
security."

So I have some questions about HTTP method.


1. first question 

When I using CONNECT method, the apache result was different.
(config is alike, version is 1.3.26 alike)

Some apache : 
Allow: GET, HEAD, OPTIONS, TRACE

but some apache like below.
Allow: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, 
PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, TRACE

Why the result is not same?


2. and additional quesiton.

I allowed GET,POST,OPTIONS like below, but apache says that TRACE method is 
allowed too.
What's the relations between OPTIONS and TRACE?

<LimitExcept GET POST OPTIONS>
   Order allow,deny
   deny from all
</LimitExcept>

3. Some documents say that one can upload the file using PUT method and 
delete using DELETE method. But most cgi or php programs using POST method 
to upload or delete the file. When the PUT or DELETE method is required?
 


Thanks in advance.

_________________________________________________________________
확인하자. 오늘의 운세 무료 사주, 궁합, 작명, 전생 가이드   
http://www.msn.co.kr/fortune/default.asp  


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list