.png?sv=2022-11-02&spr=https&st=2024-09-16T19%3A34%3A31Z&se=2024-09-16T19%3A44%3A31Z&sr=c&sp=r&sig=hmbiEodOmHaPYaC8JmkWkoik1ND%2B5zFK9EsKYUvM0FY%3D){kind=logo}
Non-Standard HTTP Verbs Restricted
- 25 Jan 2024
-
DarkLight
-
PDF
Non-Standard HTTP Verbs Restricted
- Updated on 25 Jan 2024
-
DarkLight
-
PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
This constraint is effective in the 2023.2 IAP release.
To support network security policies and provide an additional layer of control, Itential will not accept or process any non-standard HTTP verbs IAP does not require for its operation. Further detail is described in the sections that follow.
Accepted HTTP Verbs
The following set of HTTP verbs will always be accepted in IAP:
GET, POST, PUT, PATCH, HEAD, OPTIONS, DELETE
For any verbs not on this list, Itential has implemented a new property, allowedHttpOptionalVerbs, that will allow admins to specify an array of optional HTTP verbs IAP can process. By default, non-permitted verbs are blocked from accessing the application. Consequently, IAP will not process any server requests that contain restricted verbs and that are not defined ("turned on") in the allowedHttpOptionalVerbs property.
Optional HTTP Verbs Allowed
As listed below, there are 26 optional HTTP verbs Itential admins can use. A 405 error ("Method Not Allowed") is returned if the server request uses a verb not on the list.
These verbs must be in uppercase format.
"ACL",
"BIND",
"CHECKOUT",
"CONNECT",
"COPY",
"LINK",
"LOCK",
"MERGE",
"MKACTIVITY",
"MKCALENDAR",
"MKCOL",
"MOVE",
"M-SEARCH",
"NOTIFY",
"PROPFIND",
"PROPPATCH",
"PURGE",
"REBIND",
"REPORT",
"SEARCH",
"SUBSCRIBE",
"TRACE",
"UNBIND",
"UNLINK",
"UNLOCK",
"UNSUBSCRIBE"
How to Configure Alternate HTTP Verbs
To configure the HTTP verbs that can be used for inbound requests to the IAP server, use expressProps in the active IAP profile to configure the allowedHttpOptionalVerbs property.
- Login and navigate to IAP → Administration → Admin Essentials.
- Select the active profile under Profiles.
- Click the Configure tab.
- Select
expressPropsunder Edit Profile Properties. - Update the
allowedHttpOptionalVerbsproperty to include the desired verbs from the allowed list above. - Click Save to finalize your changes.
- Restart IAP.
Related Reading
- Express.js Routing Methods
- HTTP Request Methods
- HTTP Verb Tampering
- IANA HTTP Method Registry
- OWASP Test HTTP Methods
Was this article helpful?
