How do you enable or disable HTTP methods for a Lotus® Domino® Web server? The RFC 2616 standard defines eight methods that may be used for HTTP as follows:
The Domino server responds to disallowed methods with an HTTP 405 error, which is Method Not Allowed as defined by the HTTP/1.1 specification. Some security scanning software will recommend disabling certain methods such as TRACE.
If you are using Internet Sites, you control the allowed methods in the Web Site document. To verify or change the settings, go to the Web Site document - Configuration tab, and review the Allowed Methods section. (The method CONNECT is rarely used and not allowed; therefore it is not listed.) Refer to the screen capture below.
If you are using the Web Configurations view instead of Internet Sites, you can disable HTTP methods by using the notes.ini variable HTTPDisableMethods with a value of the method name. Separate multiple method names using a comma. For example, to disable the TRACE method, you would enter HTTPDisableMethods=TRACE. To disable TRACE and CONNECT, you would enter HTTPDisableMethods=TRACE,CONNECT.
Screen capture of Web Site document: