iRule Security 101 - #02 - HTTP Methods and Cross Site Tracing
Published Aug 13, 2007
Version 1.0Was this article helpful?
Also thinking the method is back to front entirely, but that is easily fixed.
Since new methods may be added to HTTP, we should whitelist allowed methods not blacklist denied methods.
We can do that here, last time I did it was with Squid proxy 2.mumble, and there you could only "deny" methods in the config file, so I wrote a script to extract methods known from where they were enumerated in the Squid proxy header file, and deny all those not on my whitelist. Since Squid proxy has the decency to reject http methods it doesn't recognise this was adequate - of course it wasn't choosy out of the box and TRACE and all of WebDAV methods were allowed by default.