0

How to disable OPTIONS and TRACE http methods at http://localhost:9092 level in embedded tomcat? I used ZAP Security tool for testing and my request is--

OPTIONS http://localhost:9092 HTTP/1.1
Proxy-Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-gb
Content-Length: 0
Host: localhost:9092

here i am getting response-

HTTP/1.1 404
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH

I want to disable Allow line from response

Thanks In Advance

Divya Dhale
  • 1
  • 3

1 Answers1

0

you need to implement your CustomFilter for this goal. 

@Component
@Order(Ordered.HIGHEST_PRECEDENCE)
public class CustomFilter implements Filter {

public CustomFilter() {
}

@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
    HttpServletResponse response = (HttpServletResponse) res;
    HttpServletRequest request = (HttpServletRequest) req;
    response.setHeader("Access-Control-Allow-Methods", "GET, HEAD, POST, PUT, DELETE, PATCH");
    chain.doFilter(req, res);
}

@Override
public void init(FilterConfig filterConfig) {
}

@Override
public void destroy() {
}
}

Hope it helps.

Alexander Petrov
  • 721
  • 4
  • 10
  • Hi Petrobruin, Thank you very much for your quick reply, but i am unable to call CustomFilter class. May i know how to call it in spring boot? – Divya Dhale Sep 02 '18 at 20:44
  • Hello, @DivyaDhale ! I've created test project for you. Please check it here https://github.com/alex-petrov81/stackoverflow-answers/tree/master/disable-http-methods – Alexander Petrov Sep 03 '18 at 06:51