I need to complete the following requests and some of this applies to the JBoss application server are the configurations below correct?
Disable support for HTTP DELETE and HTTP OPTIONS in the webserver configs
"* Disable HTTP OPTIONS method
Disable HTTP OPTIONS method on your web server. Refer to your web server's instruction manual on how to do this.
Web servers that respond to the OPTIONS HTTP method expose what other methods are supported by the web server, allowing attackers to narrow and intensify their efforts.
So I did some research and to change this within the JBoss configuration this update to the domain.xml was suggested – I added the highlighted lines.
<subsystem xmlns="urn:jboss:domain:web:2.2" default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<connector name="ajp" protocol="AJP/1.3" scheme="http" socket-binding="ajp"/>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="happyserver.net"/>
<rewrite pattern=".*" substitution="-" flags="F">
<condition test="%{REQUEST_METHOD}" pattern="^(DELETE|OPTIONS)$" flags="NC" />
</rewrite>
</virtual-server>
</subsystem>
Also, I am using the jBoss Core httpd server where and how would I make these updates as well? We are using modcluster on the httpd servers.