We are running rational app scan on our app URL and it comes back with the following result:
It seems that the web server is configured to allow one (or more) of the following HTTP methods (verbs) - DELETE - SEARCH - COPY - MOVE - PROPFIND - PROPPATCH - MKCOL - LOCK - UNLOCK - PUT
To fix this I added a RewriteRule to forbid any of these methods. Now when I test manually I get response code 403:
curl -X PUT https://someurl.com/somecontext/somepage.xhtml
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /somecontext/somepage.xhtml
on this server.</p>
</body></html>
But rational app scan still shows this as a problem. Has anyone encountered the same problem. This URL goes to a tomcat backend via AJP. Would appreciate solution for this.
PS: I had Limit and LimitExcept in mind but I am not sure if it will block the requests that go via mod_proxy or mod_jk
The simple solution that worked in the end
RewriteEngine On
RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)
RewriteRule .* - [R=405,L]
This keeps the app scan happy (and me as well)