Preventing apache request method - options?

Until installing NextCloud, I have used an htaccess rewrite rule as follows to harden my private server. It has not prevented other PHP apps from acting properly (WordPress being the main example).

However, NextCloud would not allow me to delete photos with the DELETE verb blocked.

Previous condition and rule:

RewriteRule ^(.*)$ - [F,L]

New condition and rule:

RewriteRule ^(.*)$ - [F,L]

Curious what people think about this. I know that allowing DELETE is not that big of a deal unless there is underlying code to honor the verb when requested. Yet, it’s one more security door to close.

I haven’t searched too deeply, but perhaps there is a condition and rule to allow DELETE on a per site (vhost) basis?

After all, if you have 20 sites that don’t need DELETE, but one does, I would prefer to just allow that one site to have it.

You could try to find if there are web apps with a bug related to HTTP verbs in the past. It can make sense for example if you provide an API, and only want to allow internal connections the DELETE verb and you put this as additional security.

It could help if you turn on the webserver’s webdav module or something like that, but if you mess up the configuration like this, other things might be broken as well. Perhaps it would make more sense to test for such a problem from outside, and if your DELETE command to a wordpress is processed and doesn’t throw an error, there is either a problem in your config or with wordpress.

Yes. The answer would be in the Apache manual[1]. Good luck!


You’ll probably want to allow HEAD as well. It’s used heavily by the Files clients.

[1] Apache HTTP Server Version 2.4 Documentation - Apache HTTP Server Version 2.4

Just thinking of it, mod_security might be interesting for you. They do filtering in front of the web server and you can define rules. You have to adjust the rules for different applications. At some point, they tried to find a rule set for Nextcloud/ownCloud… Topics tagged modsecurity