<-
Apache > HTTP Server > Documentation > Version 2.5 > Modules

Apache Module mod_allowmethods

Description: Easily restrict what HTTP methods can be used on the server
Status: Experimental
Module Identifier: allowmethods_module
Source File: mod_allowmethods.c
Compatibility: Available in Apache 2.3 and later

Summary

This module makes it easy to restrict what HTTP methods can be used on a server. The most common configuration would be:

<Location "/">
   AllowMethods GET POST OPTIONS
</Location>

<Location "/nopost">
   AllowMethods -POST
</Location>

Directives

Bugfix checklist

See also

top

AllowMethods Directive

Description: Restrict access to the listed HTTP methods
Syntax: AllowMethods reset | [+|-]HTTP-method [ [+|-]HTTP-method ] ...
Default: AllowMethods reset
Context: directory
Status: Experimental
Module: mod_allowmethods
Compatibility: +/- added in 2.5.1

The HTTP-methods are case sensitive and are generally, as per RFC, given in upper case. The GET and HEAD methods are treated as equivalent. The reset keyword can be used to turn off mod_allowmethods in a deeper nested context:

<Location "/svn">
   AllowMethods reset
</Location>

Caution

The TRACE method cannot be denied by this module; use TraceEnable instead.

Normally, if multiple AllowMethods could apply to a directory, then the most specific one is used and others are ignored; the methods are not merged. (See how sections are merged.) However if all the methods on the AllowMethods directive are preceded by a + or - symbol, the options are merged. Any method preceded by a + are added to the methods currently in force, and any method preceded by a - are removed from the methods currently in force.

Note

Mixing AllowMethods with a + or - with those without is not valid syntax and will be rejected during server startup by the syntax check with an abort.

mod_allowmethods was written to replace the rather kludgy implementation of Limit and LimitExcept.

top