Problem

A security scan detected that the HTTP OPTIONS method is enabled on the VA Admin Server and you wish to disable the method.

Resolution

You can disable OPTIONS by locating and editing the httpd.conf file in the conf directory, e.g. C:\Program Files\Axway\VA\Apache\conf\httpd.conf On Windows, you may need to run Notepad as Administrator to edit this file. Be sure to edit the file under \VA\Apache\conf\ there may be a another template httpd.conf file in the main directory and editing that file will not do anything. Once you have the correct file open, add this text to the end of the file:

# Allows only GET/HEAD and POST (Apache considers HEAD a part of the GET method)
<Location />
    <LimitExcept GET POST>
        deny from all
    </LimitExcept>
</Location>

Now restart the VA Admin service and test the changes with curl as shown below:

Before disabling OPTIONS:

C:\>curl -i -k -X OPTIONS https://localhost:13333/
HTTP/1.1 200 OK
Date: Fri, 15 Nov 2019 18:06:36 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Allow: GET,HEAD,POST,OPTIONS,HEAD,HEAD
Content-Security-Policy: default-src 'self' 'unsafe-inline'
Content-Length: 0
Connection: close
Content-Type: text/html

After disabling OPTIONS:

C:\>curl -i -k -X OPTIONS https://localhost:13333/
HTTP/1.1 403 Forbidden
Date: Fri, 15 Nov 2019 18:09:43 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Content-Length: 209
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /
on this server.<br />
</p>
</body></html>