一、Apache 使用Apache的重写规则来禁用Options方法和Trace方法 在Apache配置文件httpd-conf中【vhosts-conf】添加以下代码： 单独禁用Trace方法： ~~~ RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK） RewriteRule .* - [F] ~~~ 单独禁用Options方法： ~~~ RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(OPTIONS) RewriteRule .* - [F] ~~~ 同时禁用Trace方法和Options方法 ~~~ RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS) RewriteRule .* - [F] <VirtualHost *:80> DocumentRoot "D:\wwwroot" ServerName www.abc.com ServerAlias abc.com <Directory "D:\wwwroot"> Options FollowSymLinks ExecCGI AllowOverride All Order allow,deny Allow from all Require all granted RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS) RewriteRule .* - [F] </Directory> </VirtualHost> ~~~ 二、Nginx 在你要屏蔽的虚拟主机的server段里加入下面代码： ~~~ if ($request_method !~* GET|POST) { return 403; } ~~~ 重启nginx，这样就屏蔽GET、POST、之外的HTTP方法 三、Tomcat web.xml(url下禁用的请求方式) ~~~ <security-constraint> <web-resource-collection> <url-pattern>/*</url-pattern> <http-method>PUT</http-method> <http-method>DELETE</http-method> <http-method>HEAD</http-method> <http-method>OPTIONS</http-method> <http-method>TRACE</http-method> </web-resource-collection> <auth-constraint> </auth-constraint> </security-constraint> ~~~ 四、IIS 1、禁用WebDAV功能 2、web.config 在节点下添加如下代码： ~~~ <system.webServer> <security> <requestFiltering> <verbs allowUnlisted="false"> <add verb="GET" allowed="true"/> <add verb="POST" allowed="true"/> <add verb="HEAD" allowed="true"/> </verbs> </requestFiltering> </security></system.webServer> ~~~ 以上代码只允许开启GET、POST和HEAD方法 3、IIS 里面有个请求筛选，hTTP谓词 OPTIONS False 作者：0ne0ne 链接：https://www.jianshu.com/p/da021be820e3 來源：简书 简书著作权归作者所有，任何形式的转载都请联系作者获得授权并注明出处。