Remediation Guide 10 min read

How to Fix Dangerous HTTP Methods

Use this page when the HTTP Methods Checker shows unnecessary verb exposure on public routes.

Run HTTP Methods Checker

What This Means

HTTP method exposure becomes risky when the public edge allows verbs that do not match the route purpose. The right fix is to align allowed methods with real application behavior and make sure proxies, WAFs, and app frameworks enforce the same contract.

MethodWhat to verifyWhy it matters
TRACEWhether it is enabled anywhere publicUsually unnecessary and should stay off.
PUT / DELETEWhether the route truly needs public write behaviorCommonly exposed by mistake on legacy APIs or proxies.
OPTIONSWhether preflight behavior matches the real API contractCan be misleading or overly broad if not reviewed carefully.
WebDAV verbsWhether uncommon methods are inherited from old defaultsThese often indicate stale configuration.

Common Causes

Patterns worth checking first

  • Server defaults: The web server or framework allowed more verbs than the application intended.
  • Legacy APIs: Old endpoints still accept methods that no current workflow needs.
  • Proxy mismatch: The edge allows verbs that the origin was supposed to restrict.

How To Confirm It Safely

Confirmation steps

  • Check which routes and hosts expose the risky methods publicly.
  • Separate intentional API behavior from accidental default behavior.
  • Review CORS and preflight expectations before narrowing OPTIONS handling.
  • Confirm whether the origin and proxy enforce the same method policy.

Fix Workflow

  1. Map allowed methods by route type. Document which routes are static, public read-only, or authenticated write surfaces.
  2. Restrict obvious excess first. Disable TRACE or unused write verbs where they clearly do not belong.
  3. Align edge and origin policy. Make sure proxies, WAFs, and app frameworks enforce the same contract.
  4. Retest exposure. Re-run the checker and verify the route now exposes only the intended methods.

Implementation Examples

Nginx method restriction example
location / {
  limit_except GET POST HEAD {
    deny all;
  }
}

Rollout Risks

Method tightening can break APIs if ownership is unclear

What looks unnecessary may still support a real integration.

  • Confirm ownership before blocking write verbs.
  • Retest API clients and browser preflight behavior after changes.
Proxy-only fixes can leave the origin inconsistent

If only one layer is corrected, internal drift often returns later.

  • Align policy across stack layers.
  • Document the intended public verb contract.

Validation Checklist

Post-fix validation

  • Obvious excess methods such as TRACE are no longer exposed publicly.
  • Routes now allow only the methods they intentionally need.
  • Proxy and application behavior align on the final public response.
  • The HTTP Methods Checker confirms reduced verb exposure.

FAQ

Should I block OPTIONS everywhere?

Not if the application relies on browser preflight or legitimate API discovery behavior.

  • Review real CORS flows first.
  • Limit OPTIONS deliberately rather than blindly.
Is public DELETE always wrong?

No, but it should be intentional and protected.

  • Confirm authentication and route purpose.
  • Remove it where no current workflow depends on it.

Ready to confirm the reduced verb surface?

Run the HTTP Methods Checker again after policy updates and verify that the public route surface now matches application intent.

Run HTTP Methods CheckerCreate Account For Broader Workflow