Blocking a HTTP Verb/Method

Question

Hello!&nbsp;
Could you please help me come up with a solution on suppressing/blocking a HTTP verb? Will iRule be a good option for this? A site we host was scanned by client which showed the TRACE method was allowed. &nbsp;
Thank you for your help/advice.&nbsp;

kevin_stewart · Answer

It might be better to use a data group so you can manage multiple verbs without complicating the iRule:
when HTTP_REQUEST {    
    if { [class match [HTTP::method] equals disallowed_verbs] } {
        log local0. "Attempt by [IP::client_addr] with a forbidden HTTP verb: [HTTP::method]"            
        reject
    }
}

disallowed_verb string data group:
PUT := 1    
TRACE := 1    
DELETE := 1

kevin_stewart · Answer

That should work, and you can actually shorten it:
when HTTP_REQUEST {  
    if { [string tolower [HTTP::method]] equals "trace" } {
        log local0. "Attempt by [IP::client_addr] with a forbidden HTTP verb: [HTTP::method]"            
        reject
    }
}

nick_palmer_f5 · Answer

I do appreciate your help, Kevin! Thanks!&nbsp;

Forum Discussion

Blocking a HTTP Verb/Method

3 Replies

Bram - January 2026 Featured Member

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Can one create one virtual server with two pool members with multiple services running on it?

Maintenance page / local website that includes subfolders

AWS F5_OWASP Managed Rule Blocking requests

AST Configuration help

rSeries Configuration Backup

Related Content

F5 HTTPS Redirect 2025

Service Extensions with SSL Orchestrator: Advanced Blocking Pages

Block IP after a number of ASM Blocks

The State Of HTTP/2 With F5 LTM

Massive DDoS, DanaBot Dismantled, Scraped Discord Messages and Signal Blocks Windows Recall

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS