Parameter:
HTTPDisableMethodsShort description: Disables specific HTTP methods (e.g. TRACE, DELETE, PUT) to harden the web server.
Profile
Parameter | HTTPDisableMethods |
Category | Security / TLS |
Component | Server |
Available since | R8 |
Supported versions | 9.0.1, 10.0, 11.0, 12.0, 14.0, 14.5 |
GUI equivalent | notes.ini only (no GUI) |
Possible values | Comma-separated list, e.g. TRACE,DELETE,PUT,CONNECT,OPTIONS |
Description
HTTPDisableMethods forces the Domino web server to immediately answer incoming HTTP requests using the named methods with 405 Method Not Allowed. This makes it possible to block potentially unsafe or rarely needed methods at the server level – without modifying individual applications.Classic hardening entry: disable
TRACE (cross-site tracing protection). Depending on the application, DELETE / PUT / CONNECT / OPTIONS should also be added.Example configuration
HTTPDisableMethods=TRACE,DELETE,PUT,CONNECT,OPTIONS
Notes & pitfalls
- WebDAV applications require
PUT,DELETE,OPTIONS,PROPFIND– do not block these wholesale.
- REST APIs (Domino REST API, custom XPages REST services) often need
PUT,DELETE,PATCH.
- Always block
TRACE(cross-site tracing protection).
- Complements – does not replace – reverse-proxy rules (e.g. nginx
limit_except).
- The change only takes effect after a restart of the HTTP task.