It’s easy to stop Optionsbleed with mod_security, unless you need HTTP OPTIONS on your web server. If you’re using CRS, you can uncomment rule number 900200 in crs-setup.conf. The idea here is to only allow what needs to be allowed, and drop everything else. Of course, if you’re not using limits, it may not be a problem.
SecAction \ "id:900200,\ phase:1,\ nolog,\ pass,\ t:none,\ setvar:'tx.allowed_methods=GET HEAD POST'"
0 Comments