Can apache be configured to ignore OPTIONS requests?

Question

I run a small webapp for a couple of departments at work, which is very low traffic and doesn't have that many users. It's built on top of Django and uses apache as the web server. I have things configured to email me when any errors occur which until yesterday was a great thing - there aren't many errors, but sometimes the users don't speak up when they encounter problems, so it allows me to stay on top of things.

Yesterday we had a new user, and I started getting tons of error emails. He had no idea that anything was wrong, so I figured it was something behind the scenes. When I looked at the logs, they are HTTP OPTIONS requests which are using the "Microsoft Data Access Internet Publishing Provider Protocol" and "Microsoft Office Protocol Discovery". I'd never heard of this until that point, but it appears to be some sort of MS web folders/webDAV thing.

One option is to figure out how he can turn that off and tell him to stop doing that, but I'd rather just cut the head off here and do something like have apache just not pass on those requests to Django Is there a way that this can be handled?

Answer 1

How about:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^OPTION
RewriteRule .* - [F]

(With mod_rewrite enabled.)

Answer 2

The rewrite option is good, the 'Apache Way' is probably more like:

<LimitExcept GET POST>
deny from all
</LimitExcept>

or...

<Limit OPTIONS>
deny from all
</Limit>

Answer 3

I found a solution used by a different framework and ported to Django. I place this at the top of any view that generate HTML with links to .XLS or .DOC files:

if request.method == 'OPTIONS':
    response = HttpResponse()
    response['Allow'] = 'GET, HEAD, POST'
    return response

I like Apache solution better though... assuming it doesn't cause problems on the Windows side of things.