Disabling certain HTTP Methods in Tomcat

HTTP protocol defines eight methods that can be performed on a resource on the HTTP server. GET, POST and HEAD are the most common methods that are used to access information provided by a web server. The other methods such as OPTIONS, PUT, DELETE, CONNECT and TRACE are not normally used in the general operation of a web server can potentially pose a security risk for any web application. So it is good practice to restrict the response to specific HTTP Methods.

First, determine which HTTP Methods your installation is responding too. I use browser plug-ins that enable me to submit HTTP requests, specifying the URL and HTTP method. There are various plugins available for Chrome and Firefox and I do not make any recommendations here.

Second, according to your test results, configure your Tomcat installtion to not respond for certain HTTP Methods. This can be configured at the instance level by inserting a <security-constraint> element directly under the <web-app> element, in the installations web.xml file located at.
[tomcatinstallation]/conf/web.xml

Below is the added configuration.


<security-constraint>
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>TRACE</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>


The configuration above will disable the HTTP Methods TRACE, PUT, OPTIONS or DELETE.

Any questions, comment and I'll be sure to answer them.