"Disable HTTP OPTIONS method" Documentation

[georgethemarmot]

Jetty version(s)
All supported versions

Enhancement Description
Please document a clear solution on how to disable the http options method

ref. #5909

[joakime]

Jetty 9 is at End of Open Source Community Support

• EoCS (End of Community Support) for Jetty 9 - June 2022 #7958

Please upgrade to a supported version of Jetty (Jetty 12.0.x at this point in time) and try again.

[joakime]

As for disabling OPTIONS in general.

That's actually not recommended when working with Modern Web Browsers (Chrome, Firefox, Edge, and all mobile browsers).
You will break the efforts of those browsers to determine Cross-Origin-Resource-Sharing (CORS) for the resources on your website.

If you have a security auditing tool telling you that OPTIONS is a risk, you should challenge that assertion as ancient. (There was a time, back in the late 1990's, before CORS existed, where OPTIONS was viewed as exposing too much information about the request target or server. But that is absolutely not true in the modern era.)

See this answer from 2020 on the Information Security Stackexchange website.

https://security.stackexchange.com/questions/225325/is-the-http-method-options-secure-nowadays

It talks about how OWASP handles various HTTP methods for purposes of security.
The linked to page on that answer has been constantly been kept up to date.
The newest version of that page also does not consider OPTIONS as a vulnerability, and points out it's crucial role in CORS.

As for how, the recommendations in #5909 still apply.

If you are attempting to disable OPTIONS * (HTTP absolute form) then the constraint must exist on a webapp deployed to ROOT / context-path and the constraint url-pattern must be /. - but be aware that this disables all HTTP request target.
Any other request target for OPTIONS (HTTP origin form) then the constraint should include the appropriate url-pattern against the webapp in question.