CodeIgniter Forums
Prevent HTTP verb tampering - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forum-5.html)
+--- Forum: General Help (https://forum.codeigniter.com/forum-24.html)
+--- Thread: Prevent HTTP verb tampering (/thread-68402.html)



Prevent HTTP verb tampering - june123 - 07-06-2017

What is the proper way to prevent HTTP verb tampering in CodeIgniter 3 so that except POST and GET other HTTP methods are not allowed?

I have used 


Quote:if ($_SERVER['REQUEST_METHOD'] != ('POST' || 'GET')) {
exit(0);
}


Or should I go for configuring the web server to allow only required HTTP methods ?


RE: Prevent HTTP verb tampering - skunkbad - 07-06-2017

If you're served by Apache, Apache config would be your best option:

http://www.xpertdeveloper.com/2012/02/limit-request-methods-using-htaccess/

OR

http://lmgtfy.com/?q=.htaccess+limit+request+method

I have to ask, why would it matter?


RE: Prevent HTTP verb tampering - june123 - 07-06-2017

Thanks for your reply.

Shouldn't we prevent unauthorized HTTP methods from gaining access to our application ?


RE: Prevent HTTP verb tampering - skunkbad - 07-06-2017

(07-06-2017, 07:16 PM)june123 Wrote: Thanks for your reply.

Shouldn't we prevent unauthorized HTTP methods from gaining access to our application ?

I don't see any risk involved with that access. Those methods don't do anything unless you code up the functionality.


RE: Prevent HTTP verb tampering - june123 - 07-06-2017

But the PUT method can be used to introduce malicious codes to the server.

Similarly the DELETE method can be used to remove important files of the application, thus causing denial of service, removal of configuration files etc.


RE: Prevent HTTP verb tampering - skunkbad - 07-07-2017

(07-06-2017, 10:45 PM)june123 Wrote: But the PUT method can be used to introduce malicious codes to the server.

Similarly the DELETE method can be used to remove important files of the application, thus causing denial of service, removal of configuration files etc.

I don't know what kind of server you're using, but that's not standard functionality for Apache or Litespeed. If it was, it would be a major security issue. No good server operating system is going to allow that kind of behavior.

Edit - 
I do see where people are enabling these request methods, because they're asking on stack overflow, and getting answers. Seems to me it's a pretty stupid thing to do ... But then I also think REST sucks too. Just don't enable them, and you've got nothing to worry about.


RE: Prevent HTTP verb tampering - Narf - 07-07-2017

(07-06-2017, 10:45 PM)june123 Wrote: But the PUT method can be used to introduce malicious codes to the server.

Similarly the DELETE method can be used to remove important files of the application, thus causing denial of service, removal of configuration files etc.

No. PUT and DELETE are meant for you to implement when you want to create or delete resources.

They don't magically do something without your permission.


RE: Prevent HTTP verb tampering - june123 - 07-07-2017

Ok. Thank you all