Check if HTTP Methods have been Allowed and Enabled on Localhost

Joe asked:

I’m running Apache/2.2.15 (Unix) on a RHEL system. My LAMP is running on localhost.

I want to check if the HTTP methods:

  • POST
  • GET
  • PUT
  • DELETE

are allowed and enabled.

I’ve read that they can be checked with netcat or telnet https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)

When I try netcat, this is what I get:

[[email protected] ~]# nc localhost 80
OPTIONS / HTTP/1.1
HTTP/1.1 400 Bad Request
Date: Fri, 15 Sep 2017 20:17:12 GMT
Server: Apache/2.2.15 (Red Hat)
Content-Length: 302
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not     understand.<br />
</p>
<hr>
<address>Apache/2.2.15 (Red Hat) Server at 127.0.0.1 Port 80</address>
</body></html>

When I try telnet, this is what I get:

[[email protected] ~]# telnet localhost 80
Trying ::1...
Connected to localhost.
Escape character is '^]'.
OPTIONS / HTTP/1.0
Host localhost

HTTP/1.1 400 Bad Request
Date: Fri, 15 Sep 2017 19:48:30 GMT
Server: Apache/2.2.15 (Red Hat)
Content-Length: 302
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not     understand.<br />
</p>
<hr>
<address>Apache/2.2.15 (Red Hat) Server at 127.0.0.1 Port 80</address>
</body></html>
Connection closed by foreign host.

I understand that getting a “400 Bad Request” can be due to malformed syntax https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html

But when I’m just sending telnet or netcat commands, how could that be?

My answer:


Neither your nc attempt nor your telnet attempt provided a valid HTTP Host request header. It is not allowed to send an HTTP/1.1 request without this header, and such requests must be rejected with a 400 Bad Request response.

In the first case it was missing, and in the second case it was indeed malformed.

That header should have appeared as:

Host: localhost

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.