Hello! In my course of work as an API developer, I discovered that security of a server can be compromised when multiple HTTP methods (verbs) are permitted, specifically HTTP HEAD.
Therefore, I am strongly suggesting that multiple HTTP methods (verbs) be not allowed by default. Instead only the prescribed/specified HTTP verbs should be clearly defined and allowed on an API.
E.g.,
Only GET, excluding HEAD
Only POST, excluding HEAD
Only HEAD
Hello! In my course of work as an API developer, I discovered that security of a server can be compromised when multiple HTTP methods (verbs) are permitted, specifically HTTP HEAD.
Therefore, I am strongly suggesting that multiple HTTP methods (verbs) be not allowed by default. Instead only the prescribed/specified HTTP verbs should be clearly defined and allowed on an API.
E.g., Only GET, excluding HEAD Only POST, excluding HEAD Only HEAD