Core Ruleset: 910xxx
Rules with the 911xxx prefix protect web applications from request method attacks.
Paranoia level 1 (default)
Rule: 911100
This rule restricts the request methods that can be used when making HTTP requests to the web application.
The core ruleset defines the following as allowed methods by default.
GET HEAD POST OPTIONSMessage: Method is not allowed by policy
Example:
curl --request PATCH \ --url http://localhost:8088/test.jpg \ --header 'Cookie: a=uname -i'