The insecure HTTP methods such as PUT, DELETE, PATCH and TRACE could expose the backend server to various critical security issues and potentially enable the unauthorized malicious attackers the ability to upload, delete files in the backend server. Disabling the HTTP methods such as PUT, DELETE, PATCH, and TRACE in the gateway server helps enhance server security.
Configure HTTP Method in eStudio Profile Manager
To disable HTTP methods, perform the following actions in eStudio after shutting down the gateway server:
- Open AGS profile in the Profile Management perspective.
Go to APIGateway > Fiorano > APIGateway> Jetty > PeerAPIManagementJetty.
Provide a value in the following format to the DisableHttpMethods property:
- Save the profile (CTRL+S) and start the gateway server.
Test the response in Fiorano API Dashboard
To confirm whether the settings are applied to the gateway server configuration, perform the following actions in Fiorano Dashboard:
- Login to Fiorano API Dashboard (http://localhost:1981/apimgmt).
Create an API project (with one of the resources set in the DisableHttpMethods property) and deploy it under any Server Group.
Resource Configuration
To crosscheck or edit a resource in an existing project, check in the Resources section.
Open the project and click the resource URL to open it.
It throws an HTTP error if its method matches the one configured in the server profile.
