A fresh mix of code snippets and tutorials

.htaccess Force GET or POST Requests

Here is how to force all HTTP requests to be either GET or POST. Easy to modify technique can be used for other types of requests as well.

If you want to limit the types of HTTP requests that can be made to your site, here is a simple .htaccess technique that will do the job:

<LimitExcept GET POST>
	Order Allow,Deny
	Deny from all

This code snippet uses Apache’s LimitExcept directive to target any request that is not GET or POST. So anything that isn’t GET or POST gets blocked via Deny from all.

To adapt this technique for other types of requests, such as PUT and DELETE, we can write as follows:

<LimitExcept PUT DELETE>
	Order Allow,Deny
	Deny from all

Using with HTTP authentication

Here is a specific implementation of the LimitExcept technique for HTTP password authentication:

AuthUserFile .htpasswd
AuthName "Protected Area"
AuthType Basic

<LimitExcept GET POST>
	Order Allow,Deny
	Deny from all

<Limit GET POST>
	Require valid-user

The first block of code includes the required directives to set up basic HTTP authentication. The second block of code uses LimitExcept to deny access to any request that is not GET or POST. Lastly, the third code block completes the HTTP authentication with the Require directive, but only for GET or POST requests (accomplished via Limit).

Tip: this technique can be used to secure server setups that may be vulnerable to the GETS exploit (note the “S” there).


Keep in mind the technique provided here assumes that you know what you are doing, and have good reason to limit all requests to GET and POST. In general, it’s probably best to not restrict requests unless you have good reason to do so. Specifically, there are other types of requests that may be beneficial to the normal operation of your site, such as HEAD requests. If in doubt, do some research.


As a bonus, here is an alternate method for forcing specific types of requests using Apache’s mod_rewrite:

<IfModule mod_rewrite.c>
	RewriteRule .* - [F,L]

This approach is sort of the inverse of the previous technique. Here, instead of blocking any request that is not GET or POST, we are blocking any type of request that is specified in the RewriteCond. Thus, as written this snippet will block all TRACE, DELETE, and TRACK requests. Customize to suit your needs.


Learn more

.htaccess made easy