Hello Everyone,

We got one security point for which we need to disable the OPTIONS Http Method and also disable the Allowed method of the HTTP response.  we are able to disable the OPTIONS method and it returns 403 as response but it shows allow like this  ; Allow : GET, POST, how do we remove this Allow property from HTTP response.

To remove Allow property we have tried By adding

<valve>

  <class-name>org.jboss.web.rewrite.RewriteValve"</class-name>

</valve>

in jboss-web.xml file and placed in the WEB-INF folder of the web application. Also added rewrite.properties file containing the rewrite directives in the same folder which contains :

RewriteCond %{REQUEST_METHOD} ^(PUT|DELETE|TRACE|OPTIONS)$ [NC]

RewriteRule .* - [F]

But we are unable to deploy .war file.

Please follow the below link:

URLs:

https://docs.jboss.org/jbossweb/7.0.x/rewrite.html

https://stackoverflow.com/questions/41035666/how-to-disable-http-options-method-in-jboss

http://showcase.qmaticdev.net/help/index.html#page/Reference%20Manual/32_01%20Appendix_C.16.7.html

Also we have tried the below solution but unable to remove this Allow property from HTTP response.

Using Rewrite rules in domain.xml

<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">

    <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>

    <virtual-server name="default-host" enable-welcome-root="true">

        <rewrite pattern=".*" substitution="-" flags="F">

            <condition test="%{REQUEST_METHOD}" pattern="^(DELETE|TRACE|OPTIONS)$" flags="NC" />

    </rewrite>

    </virtual-server>

</subsystem>