Added by Anonymous about 3 years ago
I came around the following:
Where the OPTIONS method is mentionend as Exploitable:
Web servers that respond to the OPTIONS HTTP method expose what other methods are supported by the web server, allowing attackers to narrow and intensify their efforts.
Is this also applicable to lighttpd 1.4.51? I cannot see any "Allow: GET, HEAD, POST, TRACE, OPTIONS" in the response headers etc.
Did someone already had a look into this? and a solution if exploitable?
If you have researched this and have an educated question, please ask.
If this is a drive-by post, then please understand that we are familiar with https://tools.ietf.org/html/rfc7231#section-4.3.7 and it is part of the HTTP spec.
If you want to deny OPTIONS, then you can configure lighttpd to do so by reading the documentation: Docs_Configuration