Closed HelenHHMM closed 1 year ago
mmerickel
commented
1 year ago This isn’t a concern of the server itself but rather the application. You could easily add wsgi middleware to reject any request with an OPTIONS verb.
Out of curiosity why did they say it’s a problem? It’s a core feature of CORS. Obviously your app shouldn’t confuse it with a GET when processing a request tho.
HelenHHMM
commented
1 year ago Thanks for your reply. I just created a middleware to block all requests with OPTIONS verb. ( I am not sure why IT vendor reported this request method as a vulnerability by saying it is low risk) Thanks for your help anyway.
mmerickel
commented
1 year ago Great to hear! I'm going to close this ticket due to the above reasons - thanks @HelenHHMM.
Hi Pylons team,
I have a Dash application served by waitress, and recently a vulnerability reported from our IT vendor that the HTTP "OPTIONS" method should be disabled for waitress server. I can't find any where that I can configure which HTTP REQUEST METHODS can be allowed or not allowed. Do you think this can be an improvement for your future work or is there any existing workaround for this issue? Thank you so much.