Submit Feedback
Legacy Knowledge Base
Published Jun. 30, 2025

Insecure HTTP methods

Written By

Balázs Létai

How To articles are not official guidelines or officially supported documentation. They are community-contributed content and may not always reflect the latest updates to Liferay DXP. We welcome your feedback to improve How to articles!

While we make every effort to ensure this Knowledge Base is accurate,it may not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with any feedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack" publication program, made available for informational purposes. Articles in this program were published without a requirement for independent editing or verification and are provided"as is" without guarantee.

Before using any information from this article, independently verify its suitability for your situation and project.

Issue

  • HTTP methods like HEADOPTIONS, TRACE may provide information about the application that can be used in attacks like XST, CSRF, steal of sensitive information.
    How we can disable insecure/unnecessary http methods?

  • How to enable the SECURE attribute to disallow the cookie to be sent over an unencrypted channel?

Environment

  • Liferay DXP 7.1+

Resolution

  • To disable insecure or unnecessary HTTP methods like OPTIONS, HEAD, and TRACE, you can configure your web server to restrict access to these methods. The exact steps may vary depending on the web server you are using. Here are instructions for two popular web servers, Apache and Nginx:

    Disabling insecure HTTP methods in Apache:
    Open your Apache configuration file (e.g., httpd.conf or apache2.conf) in a text editor.
    Add the following lines to the file:

    <Directory "/path/to/your/web/root"> <LimitExcept GET POST> Order deny,allow Deny from all </LimitExcept> </Directory> 

    Replace "/path/to/your/web/root" with the actual path to your web root directory.
    Save the changes to the configuration file.
    Restart Apache to apply the changes.
    This configuration denies access to all HTTP methods except GET and POST, effectively disabling OPTIONS, HEAD, TRACE, and other methods.

    Disabling insecure HTTP methods in Nginx:
    Open your Nginx configuration file (e.g., nginx.conf) in a text editor.
    Add the following lines inside the "http" block:

    location / { if ($request_method !~ ^(GET|POST)$) { return 405; } # ... other configuration directives } 

    Save the changes to the configuration file.
    Restart Nginx to apply the changes.
    This configuration returns a 405 (Method Not Allowed) response for any HTTP method other than GET and POST, effectively disabling OPTIONS, HEAD, TRACE, and other methods.
    By configuring your web server to deny access to insecure HTTP methods, you can protect against attacks that exploit vulnerabilities related to these methods, such as Cross-Site Tracing (XST) and Cross-Site Request Forgery (CSRF).

  • The SECURE attribute ensures that the cookie is only sent over an encrypted (HTTPS) connection and not over an unencrypted (HTTP) channel.
    Set this to true to invalidate the session when a user logs into the portal. This helps prevent phishing. Set this to false if you need the guest user and the authenticated user to have the same session.
    Set this to false if the property "company.security.auth.requires.https" is set to true and you want to maintain the same credentials across HTTP and HTTPS sessions.
    Env: LIFERAY_SESSION_PERIOD_ENABLE_PERIOD_PHISHING_PERIOD_PROTECTION
    Defaults:
    session.enable.phishing.protection=true
  1.  

Additional Information

Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?