Home / Tools / Disable unnecessary HTTP methods (TRACE, PUT, DELETE)
Security Headers · Scan Check Guide

Disable unnecessary HTTP methods (TRACE, PUT, DELETE)

20 min Impact: medium Effort: low ✓ Scan-verified — no manual checkbox

HTTP methods beyond GET and POST — PUT, DELETE, TRACE, and others — are often left enabled on a server by default even when your application never actually uses them, giving an attacker extra ways to probe or manipulate your site that you never intended to expose.

Most sites only need GET and POST. Leaving TRACE, PUT, or DELETE enabled expands your attack surface for no functional benefit — TRACE specifically enables Cross-Site Tracing, a real cookie-theft technique.

How to fix it

  1. 1
    Check which methods your server currently accepts
    Send an OPTIONS request to your site and check the Allow header in the response, or use a tool like curl -X OPTIONS.
  2. 2
    Disable methods you don't use
    Most sites only need GET, POST, and HEAD. Explicitly block or return 405 for PUT, DELETE, TRACE, and CONNECT unless your application specifically requires them (some REST APIs legitimately need PUT/DELETE).
  3. 3
    Configure at the server or WAF level
    Nginx: limit_except GET POST HEAD block. Apache: <LimitExcept> directive. Or handle this in your WAF/CDN rules.

Common mistakes

How you'll know it's done

Your server only accepts the HTTP methods your application actually uses.

H.I.V.E. checks this automatically

Fix it, then re-scan — the check confirms itself. No manual checkbox, the scan is the truth.

Run this check in H.I.V.E. →