Apache HTTP Server Version 2.5
Apache HTTP Server Version 2.5
| Description: | Easily restrict what HTTP methods can be used on the server |
|---|---|
| Status: | Experimental |
| Module Identifier: | allowmethods_module |
| Source File: | mod_allowmethods.c |
| Compatibility: | Available in Apache 2.3 and later |
This module makes it easy to restrict what HTTP methods can be used on a server. The most common configuration would be:
<Location "/"> AllowMethods GET POST OPTIONS </Location> <Location "/nopost"> AllowMethods -POST </Location>
| Description: | Restrict access to the listed HTTP methods |
|---|---|
| Syntax: | AllowMethods reset | [+|-]HTTP-method
[ [+|-]HTTP-method ] ... |
| Default: | AllowMethods reset |
| Context: | directory |
| Status: | Experimental |
| Module: | mod_allowmethods |
| Compatibility: | +/- added in 2.5.1 |
The HTTP-methods are case sensitive and are generally, as per
RFC, given in upper case. The GET and HEAD methods are treated as
equivalent. The reset keyword can be used to
turn off mod_allowmethods in a deeper nested context:
<Location "/svn"> AllowMethods reset </Location>
The TRACE method cannot be denied by this module;
use TraceEnable instead.
Normally, if multiple AllowMethods could
apply to a directory, then the most specific one is used and
others are ignored; the methods are not merged. (See how sections are merged.)
However if all the methods on the
AllowMethods directive are preceded by a
+ or - symbol, the options are
merged. Any method preceded by a + are added to the
methods currently in force, and any method preceded by a
- are removed from the methods currently in
force.
Mixing AllowMethods with a + or
- with those without is not valid syntax and will be
rejected during server startup by the syntax check with an abort.
mod_allowmethods was written to replace the rather
kludgy implementation of Limit and
LimitExcept.
