how to disable insecure http methods(OPTIONS,PUT,DELETE)

9.6k Views Asked by subash At 11 April 2025 at 09:20

I have an web application hosted in IIS 8.5. I would like to disable the insecure http methods(OPTIONS,PUT,DELETE). so to check if the method is disabled or not I am using burp suite.

I have disabled by navigating to Requestfiltering-> HTTPVerbs ->DenyVerbs and added PUT and DELETE in IIS.

when I tried using PUT method in burp suite, it was showing HTTP/1.1 404 Not Found.404 - File or directory not found. my expectation was if a HTTP method is disabled and when we try the method using burpsuite it should be displaying "405 Method Not Allowed".

Original Q&A

There are 1 best solutions below

Potti On 09 November 2017 at 16:41

You need to make these settings in the web.config file.

<system.web>
...
  <httpHandlers>
  ... 
    <add path="*" verb="OPTIONS" type="System.Web.DefaultHttpHandler" validate="true"/>
    <add path="*" verb="TRACE" type="System.Web.DefaultHttpHandler" validate="true"/>
    <add path="*" verb="HEAD" type="System.Web.DefaultHttpHandler" validate="true"/>

For more information, look at the BrutalDev's post

how to disable insecure http methods(OPTIONS,PUT,DELETE)

There are 1 best solutions below

Related Questions in IIS-8

Related Questions in HTTP-PUT

Related Questions in REQUESTFILTERING

Trending Questions

Popular # Hahtags

Popular Questions