.htaccess Force GET or POST Requests
Here is how to force all HTTP requests to be either GET or POST. Easy to modify technique can be used for other types of requests as well.
If you want to limit the types of HTTP requests that can be made to your site, here is a simple .htaccess technique that will do the job:
<LimitExcept GET POST>
Order Allow,Deny
Deny from all
</LimitExcept>
This code snippet uses Apache’s LimitExcept directive to target any request that is not GET
or POST
. So anything that isn’t GET
or POST
gets blocked via Deny from all
.
To adapt this technique for other types of requests, such as PUT and DELETE, we can write as follows:
<LimitExcept PUT DELETE>
Order Allow,Deny
Deny from all
</LimitExcept>
Using with HTTP authentication
Here is a specific implementation of the LimitExcept
technique for HTTP password authentication:
AuthUserFile .htpasswd
AuthName "Protected Area"
AuthType Basic
<LimitExcept GET POST>
Order Allow,Deny
Deny from all
</LimitExcept>
<Limit GET POST>
Require valid-user
</Limit>
The first block of code includes the required directives to set up basic HTTP authentication. The second block of code uses LimitExcept
to deny access to any request that is not GET
or POST
. Lastly, the third code block completes the HTTP authentication with the Require
directive, but only for GET
or POST
requests (accomplished via Limit).
Tip: this technique can be used to secure server setups that may be vulnerable to the GETS
exploit (note the “S” there).
Update
Keep in mind the technique provided here assumes that you know what you are doing, and have good reason to limit all requests to GET and POST. In general, it’s probably best to not restrict requests unless you have good reason to do so. Specifically, there are other types of requests that may be beneficial to the normal operation of your site, such as HEAD requests. If in doubt, do some research.
Bonus!
As a bonus, here is an alternate method for forcing specific types of requests using Apache’s mod_rewrite
:
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC]
RewriteRule .* - [F,L]
</IfModule>
This approach is sort of the inverse of the previous technique. Here, instead of blocking any request that is not GET or POST, we are blocking any type of request that is specified in the RewriteCond
. Thus, as written this snippet will block all TRACE, DELETE, and TRACK requests. Customize to suit your needs.