Some web frameworks provide a way to override the HTTP method in the request by supplying specific HTTP request headers, such as
Authorization in Orchestrator is performed, by default, after HTTP headers are consumed. As a result, verb tunneling is not something you should worry about.
However, for an added extra layer of security, you can disable the
X-HTTP-METHOD-OVERRIDE header in the
web.config file of your Orchestrator instance, by setting its size limit to 0.
For example, you can add the following in the
<security> <requestFiltering> <requestLimits> <headerLimits> <add header="X-HTTP-METHOD-OVERRIDE" sizeLimit="0" /> </headerLimits> </requestLimits> </requestFiltering> </security>
Updated 7 months ago