Allowed HTTP Methods

What is HTTP and HTTP Request Methods ?

HyperText Transfer Protocol (HTTP) is a protocol that forms the foundation of the web that ensure data exchange between websites. HTTP requests use port 80 by default.

There are multiple HTTP methods to be used for data exchange with a website. For example, if you type a website address to your browser and press enter, you will automatically request HTTP GET from the target website.

Some HTTP methods are as follows:

GET, POST, PUT, HEAD, DELETE, CONNECT, OPTIONS, TRACE, PATCH, SEARCH

Why is it important to know HTTP Request Methods ?

It is recommended to deactivate DELETE, PUT and LOCK, MOVE, PROPFIND, PROPPATCH HTTP methods which are not used frequently and TRACE, TRACK and DEBUG debugging HTTP methods.

Additionally, the OPTIONS method is used to find the methods list supported by web servers. This can be deactivated if it does not serve a special purpose.

How can you learn HTTP methods supported by a server?

You can use our free and online HTTP Request Methods finder tool. To do this, you can start by typing your domain name or IP address in the form on top of the page and start scanning.

Or you can run nmap --script http-methods Target_Host command on nmap tool which can be installed to all operating systems.

Also, you can use http/options auxiliary module of “Metasploit Framework” to check the vulnerability.

Lastly, you can check manually. If your website permits OPTIONS request method, you will have results similar to the following:

	curl -i -X OPTIONS http://172.19.0.100 
	> OPTIONS / HTTP/1.1
	> User-Agent: curl/7.61.0
	> Host: 172.19.0.100
	> Accept: */*
	>
	< HTTP/1.1 200 OK
	< Date: Mon, 24 May 2020 21:21:20 GMT
	< Server: Apache/2.2.21
	< Allow: GET,HEAD,POST,OPTIONS,TRACE
	< Content-Length: 0
	< Content-Type: text/html