Disable CONNECT Method in HTTP

Introduction

Some security vulnerability scanners might report that your Apache server is vulnerable because CONNECT method is being allowed. For example, a scanner might report:

• CONNECT Method Allowed in HTTP Server Or HTTP Proxy Server Vulnerability
• The HTTP server or the HTTP proxy server accepts the "CONNECT" method.

Following section explains how to disable the CONNECT method on your installation.

Disabling CONNECT Method

There is no inherent vulnerability with the CONNECT method but you should not leave it enabled since it would allow Apache httpd to be used a proxy. This should only be enabled if you intent for Apache httpd to be used as a proxy.

In case of errors like CONNECT Method Allowed in HTTP Server Or HTTP Proxy Server Vulnerability; you will need to disable the connect method in HTTP.

To disable connect method in HTTP, please make the changes in .htaccess file.

Generally, the file location for linux is /var/www/html/.htaccess and for Windows is C:\xampp\htdocs\.htaccess

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^CONNECT
RewriteRule .* - [R=405,L]

The above code will redirect any connect method to 405 method not allowed, which will automatically rejects any connect request with no acknowledgement.