Vulnerability ID V26396, STIG ID WA00565 for HTTP request methods.

Document ID : KB000019300
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Vulnerability ID V26396, STIG ID WA00565, HTTP request methods must be limited.
For every enabled <Directory> directive (except root), ensure the following entry exists:
Order allow,deny
<LimitExcept GET POST OPTIONS>
Deny from all
</LimitExcept>
If the statement is not found inside an enabled <Directory> directive, this is a finding.
Note: If the LimitExcept statement above is operationally limiting. This should be explicitly documented with the Web Manager, at which point this can be considered not a finding.

Solution:

To resolve this issue, please add the parameters to the $NH_HOME/web/httpd/httpd.tpl file somewhere between the comments which are already present in the file.

Note: Please take a copy of $NH_HOME/web/httpd/httpd.tpl file before making any changes.

# Custom Protect Section
# End Custom Protect Section

Example:

# Custom Protect Section


<Location /status>
   Options 
   AllowOverride None
<LimitExcept GET>
Deny from all
</LimitExcept>
  SetHandler server-status
</Location>

# End Custom Protect Section

The comments must remain intact