I have Cloudflare free SSL enabled on a website and I need to change the HTTP OPTIONS Method to allow only GET and POST.
I've used this command in SSH to check what methods are available:
curl -X OPTIONS https://example.com -I
and the relevant result is:
...
* issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0xxxx)
> OPTIONS / HTTP/2
> Host: example.com
> user-agent: curl/7.68.0
> accept: */*
...
From "accept: /" I understand that all methods are allowed and I would like to change this.
I have tried to edit the .htaccess file on the server and added
RewriteEngine on
RewriteCond %{THE_REQUEST} !^(POST|GET)\ /.*\ HTTP/1\.1$
RewriteRule .* - [F]
and it didn't seem to work and I think it may be something I can fix in Cloudflare but have no clue how should I do this. Does anyone know if this can be done and can point me in the right direction?
Thank you
I think you may be confusing a couple concepts with the way you phrase your question. There are many ways to block any HTTP methods besides GET / PUT (both with Cloudflare, or directly on your server with htaccess).
However, because you brought up the OPTIONS method, it sounds like you are wanting to broadcast which methods are available? In this case, you'll want to read up on the 'Access-Control-Allow-Methods' header -
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods
Essentially this is what tells the browser (or client) after making an OPTIONS request, what methods are available for the given endpoint.
To use it, you can either add headers with htaccess or Cloudflare.