The HTTP OPTIONSmethod is used to describe the communication options for the target resource. When enabled a client can send a request to the tomcat
 server asking for allowed methods. It is possible that this might be used for malicious intent to identify allowed methods to use in a potential attack.

This knowledge document  will explain how to disable the HTTP  OPTIONS method.

Release : 10.x

Component : Spectrum OneClick

The OPTIONS method can be disabled on the OneClick server by updating the web.xml file and adding the block below BEFORE
the </web-app> closing tag.


FILE:  $SPECROOT/tomcat/conf/web.xml 

Example:

- backup the existing web.xml
     cp -p $SPECROOT/tomcat/conf/web.xml  $SPECROOT/tomcat/conf/web.xml.backup

- edit $SPECROOT/tomcat/conf/web.xml (add below just before the closing </web-app> tag)


<security-constraint>
    <web-resource-collection>
      <web-resource-name>restricted methods</web-resource-name>
      <url-pattern>/*</url-pattern>
      <http-method>TRACE</http-method>
      <http-method>PUT</http-method>
      <http-method>DELETE</http-method>
      <http-method>HEAD</http-method>
      <http-method>OPTIONS</http-method>
      </web-resource-collection>
      <auth-constraint />
  </security-constraint>

 <filter>
   <filter-name>CorsFilter</filter-name>
   <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
   <init-param>
      <param-name>cors.allowed.methods</param-name>
      <param-value>GET,POST,CONNECT</param-value>
   </init-param>
 </filter>
 <filter-mapping>
   <filter-name>CorsFilter</filter-name>
   <url-pattern>/*</url-pattern>
 </filter-mapping>



- save changes
- restart OneClick tomcat

Tomcat should now block the OPTIONS method.