6.13.1 Limiting the HTTP-enabled methods
In the in-process HTTP server, you reject the receipt of requests containing HTTP-disabled methods by limiting the HTTP-enabled methods for the HTTP request. As a result, you can prevent the unauthorized access of the resources on the server. By default, you can use the DELETE method, HEAD method, GET method, OPTIONS method, POST method, and PUT method.
To limit the HTTP methods, specify the method names of the HTTP-enabled methods. The value defined in RFC2616 must be used for the value set as the HTTP-enabled method. However, an asterisk (*) cannot be used in the method name string. If an asterisk (*) is specified instead of the method name, all the methods can be used.
If a request containing an HTTP-disabled method is received, an error of status code 405 is returned to the Web client.
Note that if a request containing the OPTIONS method is sent for the static contents, a method excluding the disabled methods for the in-process HTTP server from the enabled methods (GET method, POST method, TRACE method, and OPTIONS method) is returned for the static contents in the Allow header included in the response by default. In the case of servlets and JSPs, limiting the HTTP-enabled methods depends on the implementation of the Web application.