Why does WAF block HTTP OPTION method

Question

Does the HTTP Option method pose significant security risk to the web application?&nbsp;

aswin_mk · Answer

Hi ee&nbsp;&nbsp;i have read in so many articles relating the threats by option method, main thing is attackers mostly using it. if an application doesn't need the method, no need of using it. so as per awaf by default below mentioned only allow if it's a blocking profile.&nbsp;&nbsp;&nbsp;BRAswin

ee · Answer

Hi, May I know what is meant by the "Methods: act as GET" from the screenshot provided?

aswin_mk · Answer

Hello ee&nbsp;&nbsp;As per my understanding,&nbsp;If you do not expect requests to contain HTTP data following the HTTP header section, select act as GET.If you expect requests to contain HTTP data following the HTTP header section, select act as POST.&nbsp;Hope you understand the same.&nbsp;BrAswin&nbsp;

zamroni777 · Answer

web browser sometime sends http options request as safety measures for cross domain transaction, e.g. the webpage is opened from domain A but it also has javascript that sends http post request to domain B
http options request is sent to url in domain B.
https://aws.amazon.com/what-is/cross-origin-resource-sharing

if you're admin of domain B, then you need to allow http options request.

Forum Discussion

Why does WAF block HTTP OPTION method

4 Replies

The New F5 Certified BIG-IP Administrator Certification Exams Now Live

F5 Academies Are Back – And We’re Coming to a City Near You

Recent Discussions

Failed to set RDP launch token timeout

AWAF - Do not log Geolocation violations from the Event Log

Load Balancing IIS Servers

remove www from domain

Front azure traffic from F5 LTM onpremises

Related Content

F5 BIG-IP Advanced WAF – DOS profile configuration options.

Kubernetes architecture options with F5 Distributed Cloud Services

BIG-IP deployment options with Openshift

Accessing TCP Options from iRules

F5 BIG-IP deployment with Red Hat OpenShift - the no CIS option

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS