Disabling Specific HTTP Methods
For security reasons, you may want to disable or restrict one or several HTTP request methods on your Apache Tomcat server. A method which is often restricted is the HTTP OPTIONS request method. This is because a HTTP OPTIONS request can sometimes expose internal server configuration details and reveal vulnerabilities.
The HTTP OPTIONS method of course has a legitimate purpose, besides any abuse for malicious purposes. Browsers send an HTTP OPTIONS request to find out the supported HTTP methods and other options supported by the server before sending the actual request.
To restrict HTTP methods, such as OPTIONS, add a <security-constraints> element inside <tomcat>/conf/web.xml. Below is an example where the methods OPTIONS and DELETE are disabled. The tag <auth-constraint/> in the example means that no role can access the specified methods and the methods are completely disallowed.
<security-constraint>
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>OPTIONS</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
(c) 2013-2024 Altair Engineering Inc. All Rights Reserved.