Core Ruleset: 910xxx

Rules with the 911xxx prefix protect web applications from request method attacks.

Paranoia level 1 (default)

Rule: 911100

This rule restricts the request methods that can be used when making HTTP requests to the web application.

The core ruleset defines the following as allowed methods by default.

GET HEAD POST OPTIONS

Message: Method is not allowed by policy

Example:

curl --request PATCH \
  --url http://localhost:8088/test.jpg \
  --header 'Cookie: a=uname -i'