NGINX: Why limiting request methods is not necessary

If you want to harden nginx you might come across this piece of configuration:

if ($request_method !~ ^(GET|HEAD|POST)$ )
{
  return 405;
}

The idea behind this is that nginx checks for any incoming request, if the request method is either GET, HEAD or POST. If the request method is different, nginx will return HTTP status code 405 ("Method is not allowed"). There are other examples which return nginx' non-standard return code 444 ("Connection closed without response") instead.

While the idea behind this is good, I think it is not necessary and you can save the CPU cycles for this check. If you use nginx as a webserver, rather than as a reverse proxy, nginx doesn't enable HTTP methods like PUT, DELETE which were introduced with WebDAV. In order to activate them you would normally need to load the ngx_http_dav_module and set the dav_methods directive accordingly as documented here. Even though the module might be compiled, which you can easily check with

$ nginx -V 2>&1 | grep -io -- --with-http_dav_module
--with-http_dav_module

it should not be enabled by default. If you are unsure, you could either check with netcat, telnet or whatever you prefer or use nmap's http-methods NSE script to check the available HTTP methods.

comments (0) - add comment

No comments so far, leave one?