Attacker sends a request of type "OPTIONS" to the Web server of your application to determine what HTTP methods are supported by the server.
Allow: HEAD, GET, PUT, POST, DELETE, TRACE, OPTIONS
The header Allow includes a list of supported HTTP methods.
Application is insecure if Allow header contains methods such as DELETE or PUT.
No comments:
Post a Comment