How do you enable or disable HTTP methods for an IBM® Domino® Web server? The RFC 2616 standard defines eight methods that may be used for HTTP as follows:
The Domino server responds to disallowed methods with an HTTP 405 error, which is Method Not Allowed as defined by the HTTP/1.1 specification. Some security scanning software will recommend disabling certain methods such as TRACE.
If you are using Internet Sites, you control the allowed methods in the Web Site document. To verify or change the settings, go to the Web Site document - Configuration tab, and review the Allowed Methods section. (The method CONNECT is rarely used and not allowed; therefore it is not listed.) Refer to the screen capture below.
If you are using the Web Configurations view instead of Internet Sites, you can disable HTTP methods by using the notes.ini variable HTTPDisableMethods with a value of the method name. Separate multiple method names using a comma. For example, to disable the TRACE method, you would enter HTTPDisableMethods=TRACE. To disable TRACE and OPTIONS, you would enter HTTPDisableMethods=TRACE,OPTIONS
When Internet Sites are enabled, the settings on the Internet Site document take precedence over the HTTPDisableMethods setting in notes.ini
To determine which configuration is in use, open the server document to the Basics tab. If "Load Internet configurations from Server\Internet Sites documents" is enabled, the server is using Internet Sites. If it is disabled the server is using the Web Configurations view.