웹개발자/웹서버

http method 제한 (trace)

wlsufld 2019. 1. 14. 11:11

보안점검때 항상 나오는것중 하나.

get, post 를 제외한 method 는 제한해야 한다.



1. APACHE config/httpd.conf 파일을 연다.


1) 추가 - LimitExcept get, post

<Directory />
<LimitExcept GET POST>
Order allow,deny
deny from all
</LimitExcept>
</Directory>


2) 추가 - limit trace

TraceEnable Off




2.  src/main/webapp/WEB-INF/web.xml


1) 추가

    <!-- http method 제한 -->
<security-constraint>
<display-name>Forbidden</display-name>

<web-resource-collection>
<web-resource-name>Protected Context</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>TRACE</http-method>
<http-method>COPY</http-method>
<http-method>MOVE</http-method>
<http-method>OPTIONS</http-method>
</web-resource-collection>

<auth-constraint>
<role-name></role-name>
</auth-constraint>

</security-constraint>


3. 결과

options


trace