Software AG Products 10.5 | Administering API Portal | Configuring API Portal | Security Considerations | Preventing Use of the HTTP OPTIONS Method
 
Preventing Use of the HTTP OPTIONS Method
The OPTIONS request method, while part of the HTTP standard, has the potential for allowing incoming requests to obtain information about API Portal server capabilities or to get information about resources, even though the request does not specify a resource action or retrieve a resource.
By default, the API Portal load balancer component is set to allow HTTP OPTIONS method requests. Software AG recommends deactivating the OPTIONS method in the load balancer, preventing it from responding to the requests.
*To deactivate the OPTIONS method
1. Stop the loadbalancer component from the API Portal Cloud Controller (ACC).
2. In a text editor, open the httpd-custom.conf and the http-custom-ssl.conf files from the following directory: Software AG_directory\API_Portal\server\bin\work\work_loadbalancer_s\httpd\conf\extra.
3. Add the following lines to the files:
<Location "/">
<Limit OPTIONS>
Deny from all
</Limit>
</Location>
4. Start the loadbalancer component from the ACC.