ARTIFACTORY: How to disable HTTP OPTIONS in Artifactory?
2023-01-29 09:51
Relevant Versions: Artifactory 7 and above.
HTTP OPTIONS might be disabled on IIS web servers as part of a vulnerability assessment recommendation. The vulnerability in question is Web servers that respond to the OPTIONS HTTP method expose what other methods are supported by the web server, allowing attackers to narrow and intensify their efforts.
Disabling HTTP OPTIONS:
The HTTP OPTIONS method can be disabled by adding the block below to the Tomcat $JFROG_HOME/artifactory/app/artifactory/tomcat/conf/web.xml file: <!-- ================ Disable HTTP OPTIONS ========================= -->
<security-constraint>
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>
After executing the above, restart the Artifactory service in order for the change to take effect.
Verification:
Execute the following curl command in the Artifactory VM to validate the HTTP OPTIONS method status:curl -i -X OPTIONS http://localhost:8081
If the HTTP OPTIONS method is disabled you will expect to see the following output:HTTP/1.1 403
Cache-Control: private
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 431
Date: Wed, 04 Jan 2023 09:50:40 GMT
<!doctype html><html lang="en"><head><title>HTTP Status 403 - Forbidden</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 403 - … …
If the HTTP OPTIONS method is enabled you will expect to see the following output:root@f613574128ff:~# curl -i -X OPTIONS http://localhost:8081
HTTP/1.1 200
Allow: OPTIONS, GET, HEAD, POST
Content-Length: 0
Date: Wed, 04 Jan 2023 09:43:28 GMT
