Disable HTTP Methods

Hi!

I’m doing some security analysis over my phoenix app, and It’s recommending to disable some HTTP methods (OPTIONS, TRACK, CUSTOM). I’m using Cowboy webserver, is there a way to disable them an make my webserver more compliant?

What you mean by “disable them”?

Hi @hauleth, I mean, that if the server receives this methods, they should be discarderd or something equivalent, in order to be PCI DSS Compliance. Is there a way to achieve this?

Isn’t OPTIONS required for preflight scenarios?

Regardless, you can trivially add a Plug to your endpoint.ex module that checks the HTTP method and, if it’s on your disallow list, you can return whatever status code you like and halt.

2 Likes