Web Security

Secure your website experience: understanding cookie HTTP options

LAST EDITED:
PUBLISHED:
5/9/2023

As you set your cookie preferences on a website, it is important to know that some methods used for communication between your browser and the server can pose a security risk. While some methods are safe, others can be exploited to launch an attack on the web server.

As you set your cookie preferences on a website, it is important to know that some methods used for communication between your browser and the server can pose a security risk. While some methods are safe, others can be exploited to launch an attack on the web server.

By advertising which methods are accepted, a hacker could potentially retrieve information from the server. The greatest risk comes from potentially unsafe methods such as PUT, DELETE, CONNECT, and TRACE. Jump to the end of this article for a quick checklist on how to secure your web experience.

Here is how these methods can be misused by attackers:

  • PUT: Allows a client to upload files to the server. An attacker can exploit this by uploading malicious files, or using the server as a file repository.
  • DELETE: Allows a client to delete a file on the server. An attacker can exploit this to deface a website or launch a DoS attack.
  • CONNECT: Allows a client to use the server as a proxy.
  • TRACE: Echoes back whatever string has been sent to the server, and is mainly used for debugging purposes. It can be used to launch an attack known as Cross Site Tracing.

If your website uses REST Web Services that require PUT or DELETE methods, it's important to ensure their usage is limited to trusted users and safe conditions.

What should you do to fix HTTP Options?

To remediate this potential vulnerability, you can disable the risky options in your server's httpd.conf file. Here are some helpful resources:

How do I check what options are allowed?

To check which options are allowed or to validate your remediation efforts, you can run the following command on your computer’s terminal:

curl -i -X OPTIONS http://ipAddressOrHostName:port

Following these steps, you can help protect your website and users from potential security threats that come from cookie misuse. This can prevent business threatening cyber crises. 

Alternatively, if you have nmap:

C:\Tools\nmap-6.40>nmap -p 443 --script http-methods localhost

Otherwise with netcat or telnet use:

$ nc www.victim.com 80
OPTIONS / HTTP/1.1
Host: www.victim.com

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Tue, 31 Oct 2006 08:00:29 GMT
Connection: close
Allow: GET, HEAD, POST, TRACE, OPTIONS
Content-Length: 0

Checklist: 

Follow this checklist to secure your web experience:

Understand the importance of secure communication

  • Recognize that communication between your web browser and the server is essential for a smooth website experience, but certain methods can pose security risks.

Know the safe and risky HTTP methods

  • Familiarise yourself with safe methods like GET, HEAD, and POST, and be aware of potentially unsafe methods like PUT, DELETE, CONNECT, and TRACE.

Be aware of potential risks

  • Understand how these risky HTTP methods can be misused by attackers to upload harmful files, delete content, or launch attacks on your website.

Limit usage of risky methods

  • If your website uses REST Web Services that require PUT or DELETE methods, ensure their usage is limited to trusted users and safe conditions.

Remediate the vulnerability

  • Disable risky HTTP options in your server's httpd.conf file to prevent potential exploitation. Refer to resources like SANS Institute, OWASP Clickjacking Defense Cheat Sheet, or Wikipedia Clickjacking for guidance.

Verify the remediation

  • Use the curl command or tools like nmap, netcat, or telnet to check which options are allowed and validate your efforts to secure the HTTP methods.

Stay informed

  • Keep yourself updated on the latest security best practices and vulnerabilities related to HTTP methods and cookies.

Educate website users

  • Provide information to your website users about the importance of secure browsing habits and the potential risks associated with certain HTTP methods.

Regularly review website security

  • Conduct periodic security assessments and audits of your website to identify and address potential vulnerabilities.

Implement Multi-Factor Authentication (MFA)

  • Consider adding MFA as an extra layer of protection to prevent unauthorised access to your website's backend and sensitive data.

Follow best practices for secure coding

  • Ensure that your website's code follows industry best practices to minimise the risk of security vulnerabilities.

Work with security experts

  • If you lack expertise in cybersecurity, consider consulting with professionals to perform security assessments and implement necessary measures.

By following this checklist and addressing potential security issues related to HTTP methods and cookies, you can enhance the security of your website and protect both your business and your users from cyber threats.

Web Security
Checklist
Expert

Related articles

DNS Configuration

Protecting against email forwarding attacks

Mailbox abuse poses a significant threat to the security and integrity of email communication in financial services.

Compromised Assets

What is digital forensics?

Understanding digital forensics and other frequently asked questions about the investigative cyber service.

System Security

How to perform a compromise assessment

Here is what Blackpanda experts do to find latent threats in your network.

View all

Sign Up to Our Newsletter

Our weekly Asia Cyber Summary is a snappy, non-technical overview of regional cybersecurity news that helps you stay informed. Test it today, you can always unsubscribe. 

Let’s talk
Web Security
Expert