high
Web Vulnerabilities
Dangerous HTTP Methods Enabled
The server allows dangerous HTTP methods (PUT, DELETE, TRACE, CONNECT, WebDAV) that can be abused for file upload, deletion, or cross-site tracing.
Severity
high
Time to Fix
15 minutes
Difficulty
easy
OWASP
A05:2021 — Security Misconfiguration
What is Dangerous HTTP Methods Enabled?
HTTP methods like PUT (upload files), DELETE (delete files), TRACE (reflect requests — enables XST), and CONNECT (open proxy) should be disabled on production web servers unless explicitly needed. TRACE in particular enables Cross-Site Tracing (XST), which can steal HttpOnly cookies.
Why It Matters to Your Business
Enabled PUT/DELETE methods can allow attackers to upload web shells or delete critical files. TRACE enables XST attacks that bypass HttpOnly cookie protection. WebDAV methods (PROPFIND, MKCOL) expose additional attack surface.
How to Fix It
Disable dangerous HTTP methods:
Nginx:
if ($request_method !~ ^(GET|POST|HEAD|OPTIONS)$ ) {
return 405;
}
Apache:
<LimitExcept GET POST HEAD OPTIONS>
Require all denied
</LimitExcept>
Apache (disable TRACE):
TraceEnable off
IIS (web.config):
<system.webServer>
<security>
<requestFiltering>
<verbs>
<add verb="TRACE" allowed="false" />
<add verb="PUT" allowed="false" />
<add verb="DELETE" allowed="false" />
</verbs>
</requestFiltering>
</security>
</system.webServer>
Technical Classification
| OWASP Category | A05:2021 — Security Misconfiguration |
| CWE ID | CWE-650: Trusted HTTP URL Leaves Door Open |
| Detected By | http_methods scanner(s) |
| Severity Level | high |
How 2MNY Security Can Help
Check if your website has this vulnerability
Our http_methods scanner checks for this issue automatically.
Scan My Website Free