To prevent the collection of specific system calls that could offer attackers Windows running Apache servers a backdoor, we can Turn off unwanted HTTP methods on the Apache web server. This increases the security of our web application and prevents unwanted attacks.

Prerequisites

• Apache Installed
• Administrative Access
• Backup Configuration

Steps to disable HTTP methods in Apache

Step 1: Locating Apache Configuration File

The main configuration file for Apache is named httpd.conf.this file is located at the following:

C:\Apache24\conf\httpd.conf

Step 2: Opening httpd.conf File

Using text editor like Notepad open the above file.

Step 3: Uncomment the line

Firstly, unclomment the following line in the apache configuration file opened

#LoadModule access_compat_module modules/mod_access_compat.so
(to)
LoadModule access_compat_module modules/mod_access_compat.so

Step 4: Add or Modify the <Limit> Directive

• add this line first and then proceed further.

TraceEnable off

• To disable specific HTTP methods, you need to use the <Limit> directive in the httpd.conf file. For example, to disable the TRACE and TRACK methods, add the following lines:

<Limit TRACE TRACK>
    Order allow,deny
    Deny from all
</Limit>

• This configuration tells Apache to deny all requests for the TRACE and TRACK methods. You can disable other methods similarly by listing them within the <Limit> directive.

Step 5: Restrict Methods in Specific Directories if needed

If you want to restrict methods in specific directories, you can use the <Directory> directive. For example, to disable methods in the /var/www/html directory:

<Directory "C:/Apache24/htdocs">
    <Limit DELETE>
        Order allow,deny
        Deny from all
    </Limit>
</Directory>

Step 6: Save the Configuration File

• After making the necessary changes, save the httpd.conf file.

Step 7: Restart Apache Server

• For the changes to take effect, you need to restart the Apache server. You can do this through the Apache Service Monitor or by using the command prompt. To restart via the command prompt:

httpd -k restart

• if not started:

httpd -k start

Verifying the Changes

• You can verify that the methods are disabled by using tools like cURL or browser plugins like Postman. For example, to check if the TRACE method is disabled use following commands to check:

 Invoke-WebRequest -Uri http://localhost:809 -Method TRACE

• here my domain port is 809 please change to yours. To do so, search port in the httpd file and change the url accordingly.

Output:

trace method is limited as we kep traceEnable off

Invoke-WebRequest -Uri http://localhost:809 -Method DELETE

Output:

detele method is limited

 Invoke-WebRequest -Uri http://localhost:809 -Method GET

Output:

gt method is accepted

Conclusion

Disabling HTTP methods in apache enhaces the servers security preventing the acctacks on server. One can easily disable the unwanted methods to a directory or overall server level using the steps provided in this article.