logo

Database

Insecure HTTP methods enabled

Need

Restrict HTTP methods to only those necessary for the application's functionality to prevent security risks.

Context

• HTTP methods define how clients interact with a server, but some methods can introduce security risks if not properly restricted.

• Insecure HTTP methods such as `TRACE`, `PUT`, and `DELETE` can allow attackers to manipulate resources, perform cross-site tracing attacks, or introduce malicious content.

• CloudFormation templates may inadvertently allow all HTTP methods (`HttpMethod: \"*\"`) when defining API resources, exposing services to potential threats.

Description

1. Non compliant code

Resources:
  MyApi:
    Type: AWS::Serverless::Api
    Properties:
      StageName: Prod
      MethodSettings:
        - ResourcePath: "/*"
          LoggingLevel: INFO...

The above CloudFormation template defines an **AWS::Serverless::Api** resource where `MethodSettings` allows all HTTP methods (`HttpMethod: "*"`, equivalent to `ANY`). Allowing all HTTP methods increases the risk of: - Unauthorized file uploads (PUT) - Accidental or malicious deletion of resources (DELETE) - Cross-site tracing attacks (TRACE), which can be used to expose sensitive information. This misconfiguration can lead to data manipulation or unauthorized actions on the API.

2. Steps

• Identify API configurations that allow unrestricted HTTP methods.

• Review API settings (`MethodSettings` in AWS, similar configurations in other frameworks).

• Replace `HttpMethod: \"*\"` or equivalent settings with explicitly defined methods (e.g., `GET`, `POST`).

• Validate the configuration to ensure only intended methods are accessible.

3. Secure code example

Resources:
  MyApi:
    Type: AWS::Serverless::Api
    Properties:
      StageName: Prod
      MethodSettings:
        - ResourcePath: "/secure"
          LoggingLevel: INFO...

The secure approach explicitly defines only the necessary HTTP methods (`GET` and `POST`), ensuring that potentially harmful methods such as `TRACE`, `PUT`, and `DELETE` are not exposed. By restricting `MethodSettings`, the API enforces a more controlled access policy, reducing attack vectors.

On this page