# Control of request methods

This case is an example of how to limit incoming requests, depending on the HTTP method used.

# Authorized Methods

This case presents how to only accept a defined list of methods for the requests.

# Configuration sample for authorized methods

Using this yaml sample file, requests with methods different from GET, POST or HEAD will be blocked.

---
apiVersion: core/v1beta
kind: App
metadata:
  name: myweb
spec:
  name: myweb.com
  log_level: debug
  workflow: main
  workflow_params:
    methods: "GET POST HEAD"
  backend: mybackend.com
---
apiVersion: core/v1beta
kind: Workflow
metadata:
  name: main
spec:
  entrypoint: main
  source: |-    
    package main

    func main(methods string){
      SubWorkflow_AuthorizedMethods(Args{
        "methods": params.methods
      })
    }

    func AuthorizedMethods(methods string) {
      methodChecking := `${re_extract(params.methods, "("+http.request.method+")", "\1")}`
      if methodChecking == ""{
          ActionLogAlert(Args{"engineUid":"Custom","customMessage":"Method ${http.request.method} is not allowed"})
          ActionGenerateResponse(Args{"status":"403", "content-default":"true"})
      }
    }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

# Parameters

Methods to authorize have to be passed to workflow_params with the parameter named methods. The parameter has to be a string containg the names of every authorized methods. For exemple: "GET POST HEAD".

If you don't want to use workflow parameters, you can directly set the authorized methods in the function call to SubWorkflow_AuthorizedMethods:

SubWorkflow_AuthorizedMethods(Args{
  "methods": "GET POST HEAD"
})
1
2
3

# Forbidden Methods

This case presents how to block a defined list of methods for the requests.

# Configuration sample for forbidden methods

Using this yaml sample file, requests with methods like PUT, DELETE, CONNECT or TRACE will be blocked.

---
apiVersion: core/v1beta
kind: App
metadata:
  name: myweb
spec:
  name: myweb.com
  log_level: debug
  workflow: main
  workflow_params:
    methods: "PUT DELETE CONNECT TRACE"
  backend: mybackend.com
---
apiVersion: core/v1beta
kind: Workflow
metadata:
  name: main
spec:
  entrypoint: main
  source: |-    
    package main

    func main(methods string){
      SubWorkflow_ForbiddenMethods(Args{
        "methods": params.methods
      })
    }

    func ForbiddenMethods(methods string) {
      methodChecking := `${re_extract(params.methods, "("+http.request.method+")", "\1")}`
      if methodChecking != ""{
          ActionLogAlert(Args{"engineUid":"Custom","customMessage":"Method ${http.request.method} is not allowed"})
          ActionGenerateResponse(Args{"status":"403", "content-default":"true"})
      }
    }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

# Parameters

Methods to block have to be passed to workflow_params with the parameter named methods. The parameter has to be a string containg the names of every forbidden methods. For exemple: "PUT DELETE CONNECT TRACE".

If you don't want to use workflow parameters, you can directly set the forbidden methods in the function call to SubWorkflow_ForbiddenMethods:

SubWorkflow_ForbiddenMethods(Args{
  "methods": "PUT DELETE CONNECT TRACE"
})
1
2
3
Last Updated: 10/8/2021, 7:53:09 AM