this question is the continuation of Restrict HTTP methods (only GET and POST) in Spring Web application: the original question was not correct because of a bad understanding of the client request
A client ran a pen test on my SpringBoot application. Although my application only provides GET and POST methods, the pen test reported:
Options allowed : GET, HEAD, POST, PUT, DELETE, OPTIONS
The client wants to effectively only allow GET and POST methods
I found two ways to get the same output as the client
using
niktonikto -ssl -h https://localhost:8181 ... + Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS + OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server. + OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.using
curlcurl -k -i --request-target "*" -X OPTIONS https://localhost:8181 ... HTTP/1.1 200 Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS
It seems that both are asking for OPTIONS method at* target
In this circumstance, I am looking for a way to configure/tune my SpringBoot application in order to answer Allow: GET, POST
I tried the solutions given in Restrict HTTP methods (only GET and POST) in Spring Web application but unfortunately, they are "only" blocking requests made on non GET and POST methods
I may be wrong but I think that the solution would be, at least for * target, to provide a HTTP header having Allow tag with only values GET and POST
Thank you for help
