Valid HTTP Method Handler
Purpose
The Valid HTTP Method Handler limits the permitted HTTP methods for a request. For each HTTP method supported, you can specify whether or not this is permissible at this point.
Invalid requests are denied by vWAF with an HTTP error code conforming to the HTTP protocol: 405 (Method Not Allowed), 415 (Unsupported Media Type) or 413 (Request Entity Too Large).
For more information regarding adding and editing Handlers, see Editing Handlers.
Severity
Events triggered by this handler are given the severity: low. (For details on severity levels, see Severity of Events Triggered by Handlers).
Recommendations for use
Use the Valid HTTP Method Handler with static websites to deactivate the POST method. If you’re using a form, or if parts of your website are dynamic, define a path to permit POST for this area only.
Set a higher value for max-content-length if you want users to be able to transmit data quantities larger than 64KB, e.g. for uploading photos or other large files.
Attributes
Attribute | Meaning |
---|---|
allow GET allow HEAD allow POST allow PUT allow OPTIONS allow TRACE allow DELETE allow CONNECT allow WebDAV allow OWA allow SVN allow POST WITHOUT CL |
Activate the methods that you want to permit. ATTENTION Note on the use of the attribute "allow OPTIONS": OPTIONS requests often use an asterisk (*) instead of a path specification. vWAF, however, always compares the given statements with the path specifications of the paths defined in vWAF. As most defaults and examples within this documentation begin with a slash (such as in /.*), vWAF won't find a matching path. If you want to permit OPTIONS requests, you therefore need to add an extra path \* to match the * specification (see Editing Paths). Note on the attribute "method WebDAV": If this attribute is activated, this allows all methods that are used in combination with WebDAV. These methods are: MOVE, PROPFIND, PROPPATCH, DELETE, MKCOL, PUT, COPY, LOCK, and UNLOCK. Note on the attribute "method OWA": If this attribute is activated, this allows all methods that are used in combination with Microsoft Outlook Web Access (OWA). These methods are: MOVE, PROPFIND, PROPPATCH, DELETE, MKCOL, SEARCH, POLL, SUBSCRIBE, BMOVE, BCOPY, BDELETE, and BPROPPATCH. Note on the attribute "allow SVN": If this attribute is activated, this allows all methods that are used in combination with SVN (Subversion) servers. These methods are: CHECKOUT, COPY, DELETE, GET, MERGE, MKACTIVITY, MKCOL, OPTIONS, POST, PROPFIND, PROPPATCH, PUT, and REPORT. |
max content length |
Specify the maximum length here in bytes that can be transmitted by POST. A value of 0 indicates that there's no content length limit at all. This is the default setting. |
usertext |
Optional: Here you can specify some text that vWAF adds to the log file entries created by this handler. You can use this, for example, to document why you've added the handler to your configuration, and how the handler is intended to behave. |
enable logging |
Disable this option if you do not want vWAF to create a log file entry when the handler is executed. This can be useful to keep log files smaller in case the handler creates a large number of entries but you don't need these entries. When in detection mode, disabling logging de facto makes the handler ineffective. Disabling logging also prevents the actions of the handler from being taken into account for the Top-10 lists in Attack Analysis, and from being listed in Reports. To decrease the size of the log files, also consider to enable reduced logging, which excludes all non-handler-related information from the log files (see Editing Applications). |
For details regarding entries added to the log file by this handler, see the relevant section in Entries in Application-Specific Log Files.