Restrict HTTP methods (only GET and POST) in Spring Web application

Question

For security purpose regarding my Springboot application, one client is asking for a restriction of the allowed methods

Indeed, although my application only provides GET and POST methods, when I run nikto -ssl -h localhost:8181 I get the following messages:

+ Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS 
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.

In these circumstances, I am looking for a way to restrict the HTTP methods allowed by my Springboot application and effectively expose only GET and POST methods

Thanks for help

Are you using Spring Security? If not you could write a filter to limit the methods available else you could let Spring Security handle the allowance. — M. Deinum, Jun 07 '22 at 12:27

score 1 · Answer 1 · answered Jun 07 '22 at 10:23

You can add your implementation of OncePerRequestFilter which aims to guarantee a single execution per request dispatch, example as follows:


import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

@Component
public class MethodFilter extends OncePerRequestFilter { 

    @Override 
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) 
                    throws ServletException, IOException { 
        if (request.getMethod().equals("GET") || request.getMethod().equals("POST")) {
            filterChain.doFilter(request, response); 
        } else { 
            response.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
        } 
    }
}

This will also disable the OPTIONS method which returns all possible API options.

this method is working: non-`GET` and non-`POST` methods are correctly filtered. However, when launching `nikto -ssl -h localhost:8181` I still get the same messages saying that `GET, HEAD, POST, PUT, DELETE, OPTIONS` are allowed! I think that, additionally, I have to change the value of a header attribute (certainly `Access-Control-Allow-Methods`) but I don't know how: any idea? — Philippe MESMEUR, Jun 07 '22 at 14:17
@PhilippeMESMEUR - You can also try adding CrossOrigin on the Controller or even at the global level [check this out](https://www.baeldung.com/spring-cors#2-crossorigin-on-the-controller) — Swapnil Khante, Jun 07 '22 at 14:36

Nico Van Belle · Answer 2 · 2022-06-07T10:58:32.420

Typically, in Spring you develop a custom HandlerInterceptor and from the preHandle method, you can block the incoming request by returning false from the method. The framework will then stop doing any additional API calls further down the chain.

public class BlockingHttpMethodInterceptor implements HandlerInterceptor {
    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {    
        if (HttpMethod.GET.matches(request.getMethod()) 
         || HttpMethod.POST.matches(request.getMethod())) {
            return true;
        } else {
            response.sendError(HttpStatus.METHOD_NOT_ALLOWED.value());
            return false;
        }
}

And lastly you can register this handler, potentially providing a strategy on when the handler should be executed.

@Configuration
public class WebMvcConfig implements WebMvcConfigurer {
    @Override
    public void addInterceptors(InterceptorRegistry registry) {
        registry.addInterceptor(new BlockingHttpMethodInterceptor())
                .addPathPatterns("/**"); // paths that should use the interceptor
    }
}

same thing than with previous answer: this method is working: non-`GET` and non-`POST` methods are correctly filtered. However, when launching `nikto -ssl -h localhost:8181` I still get the same messages saying that `GET, HEAD, POST, PUT, DELETE, OPTIONS` are allowed! I think that, additionally, I have to change the value of a header attribute (certainly `Access-Control-Allow-Methods`) but I don't know how: any idea? — Philippe MESMEUR, Jun 07 '22 at 14:18
@Nico - Filters intercept requests before they reach the DispatcherServlet, making them ideal for coarse-grained tasks such as Authentication whereas HandlerIntercepors intercept requests between the DispatcherServlet and our Controllers, so it's not a good choice to block an HTTP request using an interceptor, instead of its good for handling cross-cutting concern like logging. [check this out](https://www.baeldung.com/spring-mvc-handlerinterceptor-vs-filter#key-differences-and-use-cases) — Swapnil Khante, Jun 07 '22 at 14:43

Restrict HTTP methods (only GET and POST) in Spring Web application

2 Answers2

Linked