Why does WAF block HTTP OPTION method

Question

Does the HTTP Option method pose significant security risk to the web application?&nbsp;

aswin_mk · Answer

Hi ee&nbsp;&nbsp;i have read in so many articles relating the threats by option method, main thing is attackers mostly using it. if an application doesn't need the method, no need of using it. so as per awaf by default below mentioned only allow if it's a blocking profile.&nbsp;&nbsp;&nbsp;BRAswin

ee · Answer

Hi, May I know what is meant by the "Methods: act as GET" from the screenshot provided?

aswin_mk · Answer

Hello ee&nbsp;&nbsp;As per my understanding,&nbsp;If you do not expect requests to contain HTTP data following the HTTP header section, select act as GET.If you expect requests to contain HTTP data following the HTTP header section, select act as POST.&nbsp;Hope you understand the same.&nbsp;BrAswin&nbsp;

zamroni777 · Answer

web browser sometime sends http options request as safety measures for cross domain transaction, e.g. the webpage is opened from domain A but it also has javascript that sends http post request to domain B
http options request is sent to url in domain B.
https://aws.amazon.com/what-is/cross-origin-resource-sharing

if you're admin of domain B, then you need to allow http options request.

Forum Discussion

Why does WAF block HTTP OPTION method

Recent Discussions

MAC address of deleted VS IP address still responsive

Different common name ssl acces 403 forbiddent

dynamic signature detection

DNS HM Probe issue

F5 looses the token for the first call

Related Content

LTM Policy Options Clarification

Block IP after a number of ASM Blocks

Block traffic

Trouble with TCP::option set 28

Load balancing method specific decision

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS