Dangerous HTTP Methods – Restriction
Objective
To mitigate security risks by restricting unsafe HTTP methods while allowing only required methods for AutomationEdge.
Recommendation
Disable unnecessary HTTP methods such as:
- OPTIONS
- TRACE
- TRACK
- HEAD
- PATCH
Note: AutomationEdge requires GET, POST, PUT, DELETE, so these should remain enabled.
Implementation
File Location
<Tomcat_Home>/conf/web.xml
Configuration
Add the following before the closing </web-app> tag:
<security-constraint>
<web-resource-collection>
<web-resource-name>Forbidden Methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>TRACK</http-method>
<http-method>HEAD</http-method>
<http-method>PATCH</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>
Validation
Using Browser / Tool (Postman / Curl)
Test blocked method:
curl -X OPTIONS http://<host>:<port>
👉 Expected:
- 403 Forbidden OR request blocked
Verify Allowed Methods
Ensure below still work:
- GET
- POST
- PUT
- DELETE
Note
- Restart Tomcat after making changes
- Validate application functionality after implementation
- Ensure no dependent service requires blocked methods