# Disabling the HTTP Method Override Request

> Some web frameworks provide a way to override the HTTP method in the request by supplying specific HTTP request headers, such as `X-HTTP-Method`, `XHTTP-Method-Override`, and `X-Method-Override`.

Some web frameworks provide a way to override the HTTP method in the request by supplying specific HTTP request headers, such as `X-HTTP-Method`, `XHTTP-Method-Override`, and `X-Method-Override`.

Authorization in Orchestrator is performed, by default, after HTTP headers are consumed. As a result, verb tunneling is not something you should worry about.

However, for an added extra layer of security, you can disable the `X-HTTP-METHOD-OVERRIDE` header in the `web.config` file of your Orchestrator instance, by setting its size limit to 0.

For example, you can add the following in the config file:

```
<security>
     <requestFiltering>
          <requestLimits>
              <headerLimits>
                    <add header="X-HTTP-METHOD-OVERRIDE" sizeLimit="0" />
               </headerLimits>
           </requestLimits>
     </requestFiltering>
</security>
```