25

Most security advice I see recommends turning off HTTP Methods like TRACE, OPTIONS, HEAD etc. So now I have turned off most of these options on my web server and leaving only GET and POST options that can be returned. The question is, now some my applications are using HEAD and some users are hitting errors doing stuff in the application. Checking the logs revealed some HEAD requests coming from the user end. I am suspecting that it's because my server has stopped responding to HEAD so the connection has dropped. My question is, is HEAD really that not safe as I read that it also has it's legitimate uses? or should I just tell my application developers/project manager to change their code? thanks.

Deer Hunter
  • 5,297
  • 5
  • 33
  • 50
Pang Ser Lark
  • 1,929
  • 2
  • 16
  • 26
  • 10
    It's worth noting that the HTTP spec (RFC 2616) [states](https://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html#sec5.1.1) that: "The methods GET and HEAD MUST be supported by all general-purpose servers. All other methods are OPTIONAL" So you may wish to weigh the supposed security benefits of turning off HEAD against the possible problems created by not following the HTTP spec. – Ajedi32 Jan 25 '16 at 20:52
  • Very good answer here already, so I won't mark it as duplicate, however you might find this interesting too: http://security.stackexchange.com/q/21413/33 – AviD Jan 26 '16 at 00:38
  • 2
    You probably never need TRACE on a public site. You may need OPTIONS on a REST API (for CORS). You need DELETE, PUT, PATCH on a REST API. HEAD is useful in a REST API to see if a resource exists – Neil McGuigan Jan 26 '16 at 01:09

1 Answers1

33

HEAD is not dangerous in itself, and it does have legitimate uses. The problem is with Java EE. It has a way to set security constraints using web.xml files - but those are only applied to GET and POST, not to HEAD. This means that it is can be possible to bypass authentication using HEAD. There is more information about this and other issues in this paper on penetration testing by the SANS Institute.

Whether this particular issue is applicable to your application will obviously depend on what application server and other security measures you are using.

Jenny D
  • 1,197
  • 9
  • 18