描述

In order to protect access to various resources, web servers may be configured to prevent the usage of specific HTTP verbs. However, some web frameworks provide a way to override the HTTP method in the request by supplying specific HTTP request headers. This feature is typically used when a web or proxy server restricts certain verbs, but the application needs to use them, especially in RESTful services. It is possible for a malicious user to take advantage of this feature to bypass HTTP verbs restrictions implemented on a server. Doing so may allow the attacker to perform unintended actions on protected resources in the web application.

解决方案

nginx
在server下添加

set $method $request_method;
proxy_method $method;

例如：

server{
    set $method $request_method;
    proxy_method $method;
}

思路

默认只用request的进行请求，无视header
其他思路，也可以移除header
使用nginx模块headers-more-nginx-module移除

X-Http-Method-Override
X-Method-Override
X-HTTP-Method

这3个header

参考

https://vulncat.fortify.com/en/detail?id=desc.dynamic.xtended_preview.often_misused_http_method_override
https://stackoverflow.com/questions/66032991/how-do-i-ensure-that-x-http-method-headers-are-ignored
https://docs.uipath.com/installation-and-upgrade/lang-zh_CN/docs/disabling-the-http-method-override-request
http://fandry.blogspot.com/2012/03/x-http-header-method-override-and-rest.html
https://mdnice.com/writing/09441b48b09a4e4f9db64203c95ce7f9