I have some WFS and WMS layers published in geoserver and trying to access from my application. I want to ensure geoserver allows POST request only and block other like GET, PUT etc. I followed the link https://docs.geoserver.org/stable/en/user/security/service.html and changed rest.properties to include only POST method but still GET is allowed. Is there anything missing?
Changing the REST API will only prevent the normal usage of the REST API which will have no effect on WMS and WFS services.
Turning GET access off will prevent the vast majority of WMS clients from accessing your service as a GET request for a getmap endpoint is the standard way to get a WMS map. WFS clients will be less affected as the normal mode of operation is POST. In none of the current OGC services is PUT used so turning that off will have no effect.
Since (pretty much) the whole point of GeoServer is to allow the open and interoperable exchange of data there is no way to turn HTTP methods on or off for OGC services (WMS, WFS etc).
If you are trying to implement some sort of security by obscurity then this will probably not work (for long) and you should set up a proper security system on the getMap or getFeature methods as you need.
If you really (really) must try to cripple the service like this then you can probably do it using nginx or apache as a restricted front end and passing only the "right" requests to GeoServer.