Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

trx's avatar
trx
Mar 08, 2010

WebDav detection

Hello all,   Does anyone know how detect a web dav (Propfind method) request using IRules and then reject it?     Any kind of help is fully appreciated.     Thanks. ...
application delivery
dev
devops
irules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Mar 08, 2010
Hi TRX,

It would be more secure to positively define which request methods you want to allow and block all others. Here is an example which uses a string type datagroup with the allowed HTTP request methods defined. You can define the datagroup in the GUI under Local Traffic >> iRules >> Datagroup List tab. 

 
 class allowed_methods_class { 
    "GET" 
    "HEAD" 
    "POST" 
 }

You can then define an iRule which references the datagroup. If you're on a version lower than 9.4.4 prepend a $:: to the datagroup name in the iRule only: $::allowed_methods_class. 

 
 when HTTP_REQUEST { 
  
     Check if request method is in the allowed_methods_class 
    if {not [matchclass [HTTP::method] equals allowed_methods_class]}{ 
  
        Illegal request method, send a 405 - Method Not Allowed response 
       HTTP::respond 405 
    } 
 }

Aaron