Can we disable HTTP Action/Method

Document ID : KB000100111
Last Modified Date : 05/06/2018
Show Technical Document Details
Question:
Customer considers PUT, DELETE, OPTIONS, TRACE and other methods to be unsafe.
Can customer disable these methods and are they unsafe?
Environment:
PAM
Answer:
Usually when customer find vulnerabilities they should give some URL that was found to accept those HTTP Actions and then CA could determine if that could be blocked.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods

Vulnerability scan should have pointed out specific HTTP verbs and list and say these should be disabled if they are not in use.
In case if they are required methods, this is no vulnerability because you cannot disable them due to functionality.

PUT is used when you upload some files. - You do need to upload patches to PAM for upgrade.
DELETE is used when you delete a file. - You do need to delete patches.
OPTIONS is used when you try to download a file. - You do need to download files.

If there are any report from a vulnerability scan, please share the report with CA Support to determine if that is indeed vulnerable and determine if a fix need to be provided.