4

Running nmap on my NodeJS HTTP server I get:

nmap -p 443 --script http-methods localhost

Starting Nmap 6.40 ( http://nmap.org ) at 2016-10-28 11:26 BST
Nmap scan report for localhost
Host is up (0.00051s latency).
PORT    STATE SERVICE
443/tcp open  https
| http-methods: ACL BIND CHECKOUT CONNECT COPY DELETE GET HEAD LINK LOCK M-SEARC                                                 H MERGE MKACTIVITY MKCALENDAR MKCOL MOVE NOTIFY PATCH POST PROPFIND PROPPATCH PU                                                 RGE PUT REBIND REPORT SEARCH SUBSCRIBE TRACE UNBIND UNLINK UNLOCK UNSUBSCRIBE
| Potentially risky methods: ACL BIND CHECKOUT CONNECT COPY DELETE LINK LOCK M-S                                                 EARCH MERGE MKACTIVITY MKCALENDAR MKCOL MOVE NOTIFY PATCH PROPFIND PROPPATCH PUR                                                 GE PUT REBIND REPORT SEARCH SUBSCRIBE TRACE UNBIND UNLINK UNLOCK UNSUBSCRIBE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
MAC Address: AB:CD:75:EF:A5:6D (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds

So I'm looking to disable some of these methods, mainly in the "Potentially risky methods:" list.

This is pretty trivial in Apache, but I can't see any way of doing it in NodeJS.

This SO question talks about editing the C source of Node, but I don't really want to have to do that.

The node docs show a http.METHODS method, but thats just a get.

Improve this question

1 Answer 1

Reset to default
7

Asked on the NodeJS help github and got this response from bnoordhuis: 

const allowedMethods = ['GET','HEAD','POST'];

function onrequest(req, res) {
  if (!allowedMethods.includes(req.method))
    return res.end(405, 'Method Not Allowed');
  // ...
}

https://github.com/nodejs/help/issues/357

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Can you guide me how did you use, I was using the express wanted to allow only GET, POST
This method would sit in your front controller. eg from here: expressjs.com/en/starter/hello-world.html You would add it to line 3.
Thanks for the update Kiksy, I did the same way, previously I was placed in the wrong place after reading the GitHub issue it clear my point.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.