By Anonymous (not verified) on
Probably an easy one, this, but I can't be sure.
I get quite a few apparently nefarious HEAD requests in my host's error history and I'm in the process of tightening things up with .htaccess rules and http headers. One common mod-rewrite rule blocks types other than GET and POST, which would neatly deal with that category of behaviour.
But when I asked Brave whether Drupal needs HEAD, the slightly ambiguous answer was that the core doesn't strictly need it, although Rest API does. If that's related to the RESTful Web Services core module, that's not enabled.
In my case, is it safe to block HEAD requests?
Comments
Well it will be safe insofar
Well it will be safe insofar as it won't expose access. But if anyone is legitimately using your site for HEAD requests in some way, you'll cut them off. If you aren't using REST API, you're probably ok to cut of HEAD requests.
Contact me to contract me for D7 -> D10/11 migrations.
Thanks, jaypan. One thing
Thanks, jaypan. One thing which I hadn't thought to check, so I just have, is RSS. I found out that some readers use HEAD to update without unnecessary fetching, so I think that it's best to leave it permitted and block those bad requests in my other rules.
That's good info :)
That's good info :)
Contact me to contract me for D7 -> D10/11 migrations.