orchestrator
2023.10
false
- Getting Started
- Requirements
- Best Practices
- Deployment and Configuration Considerations
- Encrypting the SQL Server
- Disabling the HTTP Method Override Request
- Using the FileSystem Storage Allowlist Securely
- Installation
- Updating
- Identity Server
- Troubleshooting startup errors
Disabling the HTTP Method Override Request
Orchestrator Installation Guide
Last updated Oct 3, 2024
Disabling the HTTP Method Override Request
Some web frameworks provide a way to override the HTTP method in the request by supplying specific HTTP request headers, such
as
X-HTTP-Method
, XHTTP-Method-Override
, and X-Method-Override
.
Authorization in Orchestrator is performed, by default, after HTTP headers are consumed. As a result, verb tunneling is not something you should worry about.
However, for an added extra layer of security, you can disable the
X-HTTP-METHOD-OVERRIDE
header in the web.config
file of your Orchestrator instance, by setting its size limit to 0.
For example, you can add the following in the config file:
<security>
<requestFiltering>
<requestLimits>
<headerLimits>
<add header="X-HTTP-METHOD-OVERRIDE" sizeLimit="0" />
</headerLimits>
</requestLimits>
</requestFiltering>
</security>
<security>
<requestFiltering>
<requestLimits>
<headerLimits>
<add header="X-HTTP-METHOD-OVERRIDE" sizeLimit="0" />
</headerLimits>
</requestLimits>
</requestFiltering>
</security>