HTTPDisableMethods – Block Unused HTTP Methods (HCL Domino)

Parameter: HTTPDisableMethods

Short description: Disables selected HTTP methods (e.g. TRACE, OPTIONS) on the Domino web server. Only takes effect when the server uses the Web Configurations view rather than Internet Sites.

Profile

Parameter	HTTPDisableMethods
Component	Server (HTTP task)
Category	HTTP / Web
Available since	9.0.x (per KB0032789)
Values	Comma-separated list of HTTP methods, e.g. `TRACE`, `OPTIONS`
Effect	Listed methods are rejected with HTTP 405 "Method Not Allowed"
Prerequisite	Server uses the Web Configurations view, not Internet Sites
GUI equivalent	Internet Site document → Configuration tab → Allowed Methods section

Description

RFC 2616 defines eight HTTP methods: GET, HEAD, POST, OPTIONS, PUT, DELETE, TRACE, and CONNECT. Security scanners frequently recommend disabling some of these methods on web servers — first and foremost TRACE, because it can enable cross-site tracing.

With HTTPDisableMethods, these methods can be selectively blocked on a Domino web server. Domino responds to requests using a blocked method with status code HTTP 405 "Method Not Allowed", as specified by the HTTP/1.1 protocol. The CONNECT method is never permitted regardless.

Examples


HTTPDisableMethods=TRACE
HTTPDisableMethods=TRACE,OPTIONS
HTTPDisableMethods=TRACE,DELETE,PUT

Important restriction: Web Configurations vs. Internet Sites

HTTPDisableMethods only takes effect when the server uses the Web Configurations view rather than Internet Sites. If Internet Sites are active, the settings from the Internet Site document override the notes.ini entry.

Here is how to identify the active configuration: open the Server document, Basics tab, and check the field Load Internet configurations from Server\Internet Sites documents:

Value Enabled → server uses Internet Sites → HTTPDisableMethods has no effect.

Value Disabled → server uses the Web Configurations view → HTTPDisableMethods is active.

With Internet Sites active, the same effect can be achieved in the Internet Site document: Configuration tab → Allowed Methods section. The CONNECT method is not listed individually there because it is generally prohibited.

Sources (HCL Product Documentation)

HCL Customer Support – KB0032789 "How to enable or disable HTTP methods on a Domino web server" (Applies to: Domino 9.0.x, 10.0.x; HCL Domino 11.0.x and higher): support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0032789

HCL Domino 14.5.1 – NOTES.INI Settings (overview): help.hcl-software.com/domino/14.5.1/admin/conf_notesinisettings_c.html