# 已啟用不安全的 "OPTIONS" HTTP 方法 修正： 停用 WebDAV，或禁止不需要的 HTTP 方法 用curl檢查 ```\ curl -v -X OPTIONS 網址 ``` Console ``` HTTP/1.1 200 OK X-XSS-Protection: 1; mode=block Server: Apache-Coyote/1.1 Content-Length: 0 X-Frame-Options: DENY X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=0 Date: Mon, 09 Nov 2020 17:23:06 GMT Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS ``` 解決方法: 在tomcat上面的Web.xml加上程式碼 ```\ <security-constraint> <web-resource-collection> <url-pattern>/*</url-pattern> <http-method>PUT</http-method> <http-method>DELETE</http-method> 　 <http-method>HEAD</http-method> <http-method>OPTIONS</http-method> <http-method>TRACE</http-method> </web-resource-collection> <auth-constraint></auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> </login-config> ``` ###### tags: 弱點掃描