HTTP Methods Check
HTTP methods like TRACE, PUT, DELETE, and CONNECT can expose your server to Cross-Site Tracing (XST) attacks, unauthorized file manipulation, and server-side request forgery if left enabled unnecessarily. Most web applications only need GET, POST, and HEAD.
Why It Matters
TRACE enables Cross-Site Tracing (XST) attacks — attackers can steal HttpOnly cookies and Authorization headers by tricking a browser into sending a TRACE request. PUT and DELETE can allow unauthorized file uploads or deletions if not protected. OPTIONS responses leaking allowed methods give attackers a roadmap of your attack surface. These misconfigurations are actively scanned by automated vulnerability tools and appear in OWASP testing guides (OTG-CONFIG-006).
How We Check
We send an OPTIONS request to discover the server's advertised allowed methods, then specifically test for TRACE support with a direct TRACE request. We flag any methods beyond GET, POST, and HEAD that are accessible without authentication.
How to Fix
Restrict HTTP methods to only those your application uses:
Apache — add to .htaccess or VirtualHost:
<LimitExcept GET POST HEAD>
Require all denied
</LimitExcept>
Nginx — add to your server or location block:
if ($request_method !~ ^(GET|POST|HEAD)$) {
return 405;
}
IIS — in web.config, remove handler mappings for unused verbs:
<system.webServer>
<security>
<requestFiltering>
<verbs allowUnlisted="false">
<add verb="GET" allowed="true" />
<add verb="POST" allowed="true" />
<add verb="HEAD" allowed="true" />
</verbs>
</requestFiltering>
</security>
</system.webServer>
Caddy — add to your Caddyfile:
@blocked {
not method GET POST HEAD
}
respond @blocked 405
Node.js / Express — add early middleware:
app.use((req, res, next) => {
if (!['GET','POST','HEAD'].includes(req.method)) {
return res.sendStatus(405);
}
next();
});
Related Security Checks
Check Your Website Now
Run a free security scan to check for HTTP Methods Check issues and 58+ other security vulnerabilities.
Scan Your Website Free