[WEB SECURITY] about http method

Richard Moore rich at westpoint.ltd.uk
Wed Jun 8 05:01:46 EDT 2005



Monty Ree wrote:
> 1. first question When I using CONNECT method, the apache result was
> different. (config is alike, version is 1.3.26 alike)
> 
> Some apache : Allow: GET, HEAD, OPTIONS, TRACE
> 
> but some apache like below. Allow: GET, HEAD, POST, PUT, DELETE,
> CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE,
> LOCK, UNLOCK, TRACE
> 
> Why the result is not same?

The second server has webdav and proxying enabled, the first doesn't.

> 2. and additional quesiton.
> 
> I allowed GET,POST,OPTIONS like below, but apache says that TRACE
> method is allowed too. What's the relations between OPTIONS and
> TRACE?

You can limit the methods with something like this:

RewriteEngine on
RewriteCond %{REQUEST_METHOD} !^(GET|HEAD|POST)$
RewriteRule .* - [F]


> 
> <LimitExcept GET POST OPTIONS> Order allow,deny deny from all 
> </LimitExcept>
> 
> 3. Some documents say that one can upload the file using PUT method
> and delete using DELETE method. But most cgi or php programs using
> POST method to upload or delete the file. When the PUT or DELETE
> method is required?

PUT and DELETE aren't used in practice. POST is a general
way to submit information, with file uploads being one use.

Rich.
-- 
Richard Moore, Principal Software Engineer,
Westpoint Ltd,
Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England
Tel: +44 161 237 1028
Fax: +44 161 237 1031

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list