Allowing Other HTTP Methods in WAF

This section explains how to overwrite the list of HTTP methods allowed in a WAF Profile and allow more methods.

Custom Rule Syntax:

SecRule 'variable “@unconditionalMatch"' "id:4099804,phase:1,pass,setvar:'tx.allowed_methods=GET HEAD POST PUT OPTIONS DELETE PATCH'"

Example:

In this example, the allowed HTTP methods are GET, HEAD, POST, PUT, OPTIONS, DELETE, and PATCH. @unconditionalMatch forces the rule to always return true.

SecRule REMOTE_ADDRESS "@unconditionalMatch" "id:4099804,phase:1,pass,setvar:'tx.allowed_methods=GET HEAD POST PUT OPTIONS DELETE PATCH'"

Note:

You can overwrite the list of methods in the Pre-CRS rules of WAF Policy, if needed.