disable http method OPTIONS
935 views
Skip to first unread message
Vincent Pek
Oct 30, 2020, 2:40:45 AM10/30/20
to Prometheus Users
would like to ask if there are any ways that i can disable HTTP Method "OPTIONS" as my security scan has flag this as an issue.
if this method required for prometheus to run?
Brian Candler
Oct 30, 2020, 4:12:41 AM10/30/20
to Prometheus Users
What exactly does your security scanner say about OPTIONS on prometheus? It sounds like a false positive.
Vincent Pek
Oct 30, 2020, 5:01:42 AM10/30/20
to Prometheus Users
it gave a cvss score of 2.6 low and highlight that http-options-method-enabled.
i could possibly have this waived off, but need to know if it is required or is there anyway I can disable it if it is not critical to be used.
l.mi...@gmail.com
Oct 30, 2020, 5:16:20 AM10/30/20
to Prometheus Users
Might be https://www.rapid7.com/db/vulnerabilities/http-options-method-enabled
"Web servers that respond to the OPTIONS HTTP method expose what other methods are supported by the web server, allowing attackers to narrow and intensify their efforts."
Which feels like a bit of a stretch, it's only a problem if it enables other attacks and given the the number of HTTP methods it won't slow down any attacker.
"Web servers that respond to the OPTIONS HTTP method expose what other methods are supported by the web server, allowing attackers to narrow and intensify their efforts."
Which feels like a bit of a stretch, it's only a problem if it enables other attacks and given the the number of HTTP methods it won't slow down any attacker.
It's a bit like saying "a login form exposes where to input user password for a brute-force attack" ;)
Vincent Pek
Oct 30, 2020, 5:45:48 AM10/30/20
to Prometheus Users
agree on that.. but my company policy states that even for info/low I need to seek waiver to close it off..
just need some closure on this. if it is indeed used then i can declare that it is required and accept it.
l.mi...@gmail.com
Oct 30, 2020, 6:15:18 AM10/30/20
to Prometheus Users
OPTIONS request is documented here - https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS
It's used by fetch() API (https://fetch.spec.whatwg.org/) for requests from the browser to the Prometheus API
When it's issued is documented:
So I would just say that it's part of the standard for communicating between browser and the server.
But I'm no expert on web security so don't quote me on that.
But I'm no expert on web security so don't quote me on that.
Harald Koch
Oct 30, 2020, 9:26:09 AM10/30/20
to Prometheus Users
On Fri, Oct 30, 2020, at 05:45, Vincent Pek wrote:
agree on that.. but my company policy states that even for info/low I need to seek waiver to close it off..
So ... seek a waiver? Or better - get your security team to disable this particular check, since it's both useless (attackers can just probe HTTP methods without asking first) and wrong (RESTful APIs and CORS both use the OPTIONS method).
--
Harald
Vincent Pek
Nov 4, 2020, 5:17:11 AM11/4/20
to Prometheus Users
to seek a waiver I will need some proof that options is indeed required to be used or some form of declaration from the devs.
Reply all
Reply to author
Forward
0 new messages