Forum Discussion

ee's avatar
ee
Icon for Cirrus rankCirrus
Oct 01, 2024

Why does WAF block HTTP OPTION method

Does the HTTP Option method pose significant security risk to the web application? 

  • Hi ee 

     

    i have read in so many articles relating the threats by option method, main thing is attackers mostly using it. if an application doesn't need the method, no need of using it. so as per awaf by default below mentioned only allow if it's a blocking profile.

     

     

     

    BR

    Aswin

    • ee's avatar
      ee
      Icon for Cirrus rankCirrus

      Hi, May I know what is meant by the "Methods: act as GET" from the screenshot provided?

  • Hello ee 

     

    As per my understanding,

     

    If you do not expect requests to contain HTTP data following the HTTP header section, select act as GET.

    If you expect requests to contain HTTP data following the HTTP header section, select act as POST.

     

    Hope you understand the same.

     

    Br

    Aswin 

  • web browser sometime sends http options request as safety measures for cross domain transaction, e.g. the webpage is opened from domain A but it also has javascript that sends http post request to domain B
    http options request is sent to url in domain B.
    https://aws.amazon.com/what-is/cross-origin-resource-sharing

    if you're admin of domain B, then you need to allow http options request.