HTTP offers a number of methods like GET, POST, OPTIONS, PUT, and DELETE etc… To process a request, a web server provides HTTP methods and each HTTP method have a different function. For example, a GET method is used to retrieve web pages from the server and POST method is used to send a request with the entity enclosed with a body.
Some of these methods are typically dangerous to expose.
HEAD, GET, POST, CONNECT – these are safe, at least as far as the HTTP Method itself. Of course, the request itself may have malicious parameters, but that is separate from the Method… these are typically (note exception below) the only ones that should be enabled.
PUT, DELETE – these methods are intended as file management operations. That is, you can change or delete files from the server’s file system, arbitrarily. Obviously, if these are enabled, it opens you to some dangerous attacks. PUT method can be used to introduce malicious codes and shells to the target. File access permissions should be very strictly limited if you absolutely MUST have these methods enabled.
OPTIONS – a diagnostic method, which HTTP Methods are active on the web server.
TRACE – that returns in the response body, the entire HTTP Request. This includes the request body, but also the request headers, including e.g. cookies, authorization headers, and more. This should definitely be disabled.
Each HTTP method performs a different function and each has an associated level of risk when their use is permitted on the web server. In above example, we can see OPTIONS method is enabled, so an attacker can use OPTIONS method within request query to identify which methods are allowed.