Most security scanners detect the activated OPTIONS
method of HTTP/S and report them as a potential problem. This method can help an attacker to find out about your server configuration and offer a shortcut to other vulnerabilities.
However, there are valid use cases to use the OPTIONS method, like for REST APIs or CORS. If you need the OPTIONS
method for those use cases, you need to keep it active and should document their usage in your architecture documentation.
Most web sites do not need to use the OPTIONS
method and should close this potential risk. If you want to remove the option method for all sites on this server, open the IIS Manger and click on the top node in the server tree. If you just want to disable the option method for a single site, you can do the following steps starting with the home screen for that site.
Locate the IIS feature section and click on the icon for Request Filtering:
Click on Deny Verb in the Actions list on the right side:
You now can specify the verb you do not want to allow (in this case OPTIONS
):
When you click on OK, the dialog closes and you see that OTPIONS
is now disabled (allowed = false):
On the next run, your security scanner will no longer complain about the OPTIONS
method. Should one of your sites later need the OPTIONS
method, then you can activate it explicitly just for this one site.