Disabling HTTP methods to enhance security

The insecure HTTP methods such as PUT, DELETE, PATCH and TRACE could expose the backend server to various critical security issues and potentially enable the unauthorized malicious attackers the ability to upload, delete files in the backend server. Disabling the HTTP methods such as PUT, DELETE, PATCH, and TRACE in the gateway server helps enhance server security.

Configure HTTP Method in eStudio Profile Manager

To disable HTTP methods, perform the following actions in eStudio after shutting down the gateway server:

1. Open AGS profile in the Profile Management perspective.
   
   

   

2. Go to APIGateway > Fiorano > APIGateway> Jetty > PeerAPIManagementJetty.

3. Provide a value in the following format to the DisableHttpMethods property:

   CODE

   /debug/*:MethodName1,MethodName2;/*:MethodName1,MethodName2

   

   Multiple methods can be set separated by commas and the ones separated by a semicolon are the following:

   • /* blocks methods
   • /debug/* blocks methods in debugged projects 

   

4. Save the profile (CTRL+S) and start the gateway server.

Test the response in Fiorano API Dashboard

To confirm whether the settings are applied to the gateway server configuration, perform the following actions in Fiorano Dashboard:

1. Login to Fiorano API Dashboard (http://localhost:1981/apimgmt).

2. Create an API project (with one of the resources set in the DisableHttpMethods property) and deploy it under any Server Group.
   
   

   

   

   Resource Configuration

   To crosscheck or edit a resource in an existing project, check in the Resources section.

   

3. Open the project and click the resource URL to open it.
   
   

   

   

   It throws an HTTP error if its method matches the one configured in the server profile.