How To Disable The Vulnerability of Options Method in IIS and Apache

Options are analytical protocols commonly utilized to repair and clear up these web servers. It is an HTTP system that mainly specifies the HTTP Methods permitted on a web server. However, it is not commonly used to perform a reasonable task on the server. Most frequently, it serves as a crack that lets attackers have an easy way to launch an attack. It is thus, recommended to block that possible access by disabling the Options method.

How to close that loophole and secure your server

The best way to handle this issue is to disable the OPTIONS method. This article tells you what you need to do and steps you ought to follow to disable it.

Different Ways to disable Options

There are different ways to disable options. These differ based on the type and version of the web server.

How to disable options in New versions of IIS

To disable options in IIS, disallow the OPTIONS verb out of the rulings of HTTP Verb Request Filtering in IIS. To do this, follow these steps:

Step 1: Click to Open IIS Manager.

Step 2: Click on the name of the appliance to set it up globally. Alternatively, alter the particular website that you are setting this up for.

Step 3: Click on “RequestFiltering” twice.

Step 4: Alter the button of HTTP Verbs.

Step 5: Visit the Actions panel and choose “Deny Verb“.

Step 6: Integrate ‘OPTIONS’ in the Verb, and click on OK to save the alterations you just made.

How to disable options in old versions of IIS

Step 1: Go to IIS Manager and right click on the website and click on Properties.

Step 2: Change to the Home Directory, and hit on the Configuration tab.

Step 3: This displays a list of app extensions. Find the extension that is being utilized by your web app and click on Edit.

Step 4: When the window displays, go to the Limit To field and select the system that you want to enable and delete the remaining that are not required.

How to disable options in Apache

The standard way to disable particular HTTP process in the Apache web server is through mod rewrite. Mod rewrite is a statutes-dependent, rewriting engine which can be loaded in the typical apache set up file. The rewriting machine can as well loaded as section of an .htaccess file. The least amount of elements to a mod_rewrite decree or ruling is four. These are; the commands that display the module, the commands that alter the rewrite machine on, a rewrite order, and a rewrite ruling.

Follow the step below to implement this:

Step 1: Check the Apache setup file

Look inside your apache set up file(s) to see if you can locate the If you do not locate it, integrate the command line into your apache set up file commonly referred to as httpd.conf):

LoadModule rewrite_module /usr/lib/apache2/modules/

Step 2: Enable a rewrite machine

To allow the rewrite machine, implement this code: RewriteEngineOn

Step 3: Disable Option

To disable option, implement this code:

RewriteRule .* - [F]
RewriteRule .* - [F]

Steps 4: Configure flags

At this stage, you need to configure Flags.Configure [F] to stand for not allowed query. In the same way, configure [R] to represent the redirection of the page.

It is essential to let you know at this point that pre-set rewrite setups are not transferred between virtual servers. Incorporate RewriteEngine into every individual virtual host.

How to disable options in Apache Tomcat

In Apache Tomcat, security is improved through security constraints structured into the Java Servlet arrangement. These are not present inside the main server.xml file found in tomcat but inside the web.xml configuration file.


// Sample Security Constraint
<strong>restricted methods</strong>
<auth-constraint />


Check out the top 3 Best web hosting services

  • Click this link and all your queries to best hosting will end.

Was this article helpful?