Article Number: 000203558
Security KB
The http OPTIONS method is useful for debugging but should be disabled when not in use. TRACE should also be disabled for the same reason, although security scanners do not always identify TRACE.
To see what http methods are allowed from the Avamar command line, run the command:
curl --head --insecure --location --request OPTIONS https://localhost
root@avmtest5:~/#: curl --head --insecure --location --request OPTIONS https://localhost HTTP/1.1 301 Moved Permanently Date: Mon, 19 Sep 2022 19:14:25 GMT Server: Apache Location: https://localhost/dtlt/home.html Cache-Control: max-age=7200000 Expires: Mon, 12 Dec 2022 03:14:25 GMT Content-Length: 240 Content-Type: text/html; charset=iso-8859-1 HTTP/1.1 200 200 Date: Mon, 19 Sep 2022 19:14:25 GMT Server: Apache X-FRAME-OPTIONS: SAMEORIGIN Set-Cookie: JSESSIONID=F3B34D7245B31DF7BB43763A15D412C6; Path=/dtlt; Secure; HttpOnly; SameSite=Strict Allow: GET, HEAD, POST, TRACE, OPTIONS Content-Language: en-US Content-Length: 0 Cache-Control: max-age=7200000 Expires: Mon, 12 Dec 2022 03:14:25 GMT X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Public-Key-Pins: pin-sha256="klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY="; pin-sha256="633lt352PKRXbOwf4xSEa1M517scpD3l5f79xMD9r9Q="; max-age=2592000; includeSubDomains Vary: User-Agent Content-Type: text/html
cp -p /etc/apache2/httpd.conf /etc/apache2/x-httpd.conf.backup vi /etc/apache2/httpd.conf
<Location /> <LimitExcept GET POST HEAD PUT DELETE> Require all denied </LimitExcept> </Location>
systemctl restart apache2
curl --head --insecure --location --request OPTIONS https://localhost
root@test-server:~/#: curl --head --insecure --location --request OPTIONS https://localhost HTTP/1.1 301 Moved Permanently Date: Mon, 19 Sep 2022 19:07:37 GMT Server: Apache X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Public-Key-Pins: pin-sha256="klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY="; pin-sha256="633lt352PKRXbOwf4xSEa1M517scpD3l5f79xMD9r9Q="; max-age=2592000; includeSubDomains Location: https://localhost/dtlt/home.html Cache-Control: max-age=7200000 Expires: Mon, 12 Dec 2022 03:07:37 GMT Content-Length: 240 Content-Type: text/html; charset=iso-8859-1 HTTP/1.1 503 Service Unavailable Date: Mon, 19 Sep 2022 19:07:37 GMT Server: Apache Vary: accept-language,accept-charset,Accept-Encoding,User-Agent X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Public-Key-Pins: pin-sha256="klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY="; pin-sha256="633lt352PKRXbOwf4xSEa1M517scpD3l5f79xMD9r9Q="; max-age=2592000; includeSubDomains Accept-Ranges: bytes X-FRAME-OPTIONS: SAMEORIGIN Connection: close Content-Type: text/html; charset=utf-8 Content-Language: en
Avamar Server
23 Sep 2022
1
Security KB