[WEB SECURITY] about http method
Richard Moore
rich at westpoint.ltd.uk
Wed Jun 8 05:01:46 EDT 2005
Monty Ree wrote:
> 1. first question When I using CONNECT method, the apache result was
> different. (config is alike, version is 1.3.26 alike)
>
> Some apache : Allow: GET, HEAD, OPTIONS, TRACE
>
> but some apache like below. Allow: GET, HEAD, POST, PUT, DELETE,
> CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE,
> LOCK, UNLOCK, TRACE
>
> Why the result is not same?
The second server has webdav and proxying enabled, the first doesn't.
> 2. and additional quesiton.
>
> I allowed GET,POST,OPTIONS like below, but apache says that TRACE
> method is allowed too. What's the relations between OPTIONS and
> TRACE?
You can limit the methods with something like this:
RewriteEngine on
RewriteCond %{REQUEST_METHOD} !^(GET|HEAD|POST)$
RewriteRule .* - [F]
>
> <LimitExcept GET POST OPTIONS> Order allow,deny deny from all
> </LimitExcept>
>
> 3. Some documents say that one can upload the file using PUT method
> and delete using DELETE method. But most cgi or php programs using
> POST method to upload or delete the file. When the PUT or DELETE
> method is required?
PUT and DELETE aren't used in practice. POST is a general
way to submit information, with file uploads being one use.
Rich.
--
Richard Moore, Principal Software Engineer,
Westpoint Ltd,
Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England
Tel: +44 161 237 1028
Fax: +44 161 237 1031
---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/
More information about the websecurity
mailing list