Standard ways still work, including <http-method>HEAD</http-method> .
Add your testcases if you create some, thx.
<!-- ### Security --> <security-constraint> <web-resource-collection> <web-resource-name>Restricted</web-resource-name> <description>Declarative security tests</description> <url-pattern>/restricted/*</url-pattern> <http-method>HEAD</http-method> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> <http-method>DELETE</http-method> </web-resource-collection> <auth-constraint> <description>Only authenticated users can access secure content</description> <role-name>AuthorizedUser</role-name> </auth-constraint> <user-data-constraint> <description>no description</description> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint>
Thanks a lot for your answer, anyway, that looks like a web-app wide declaration but what about a server wide solution? (not sure if i am right). I mean setting up that the server instance should attend no HEAD request at all (not even when it is sent to server administration services). I didn't find the appropriate .xml config file where to achieve such effect.
Thanks for your response!
Sorry, I don't know about any server-wide config.
What is the use case? Why not limit that per-app? That would IMO be better approach since someone might forget to set that server-wide.
In my case we are looking for disable the HTTP options method on JBOSS AS7.1. Sinces Acunetix audit software alerts about it:
HTTP OPTIONS method is enabled on this web server. The OPTIONS method provides a list of the methods that are
supported by the web server, it represents a request for information about the communication options available on the
request/response chain identified by the Request-URI.
The OPTIONS method may expose sensitive information that may help an malicious user to prepare more advanced
Did anyone found some working solution for a server wide solution or workaround?
Thanks in advance.
working solution is what Ondrej wrote above, by web server exposes only your web applications,
that means that all you need to do is add part of configuration to your web.xml
config should be probably something in lines of:
<description>Declarative security tests</description>
aka for every url allow only GET and POST.
Thank you Tomaz,
I will try this solution. However it is a application side solution yet, since I am adding this lines to my web.xml.
Do you know if jboss as 7.x hava something like a web.xml in the same way tomcat have $CATALINA_BASE/conf/web.xml to make this solution server wide?