HTTP Server - disable HTTP methods, TRACK TRACE etc

[kiksy]

Running nmap on my NodeJS HTTP server I get:

nmap -p 443 --script http-methods localhost

Starting Nmap 6.40 ( http://nmap.org ) at 2016-10-28 11:26 BST
Nmap scan report for localhost
Host is up (0.00051s latency).
PORT    STATE SERVICE
443/tcp open  https
| http-methods: ACL BIND CHECKOUT CONNECT COPY DELETE GET HEAD LINK LOCK M-SEARC                    H MERGE MKACTIVITY MKCALENDAR MKCOL MOVE NOTIFY PATCH POST PROPFIND PROPPATCH PU                                                 RGE PUT REBIND REPORT SEARCH SUBSCRIBE TRACE UNBIND UNLINK UNLOCK UNSUBSCRIBE
| Potentially risky methods: ACL BIND CHECKOUT CONNECT COPY DELETE LINK LOCK M-S                                                 EARCH MERGE MKACTIVITY MKCALENDAR MKCOL MOVE NOTIFY PATCH PROPFIND PROPPATCH PUR                                                 GE PUT REBIND REPORT SEARCH SUBSCRIBE TRACE UNBIND UNLINK UNLOCK UNSUBSCRIBE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
MAC Address: AB:CD:75:EF:A5:6D (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds

Is it possible to disable some of these methods, mainly in the "Potentially risky methods:" list when starting up the HTTP server?

[bnoordhuis]

Is this what you are thinking of?

const allowedMethods = ['GET','HEAD','POST'];

function onrequest(req, res) {
  if (!allowedMethods.includes(req.method))
    return res.end(405, 'Method Not Allowed');
  // ...
}

[kiksy]

Ah yes that would solve it. Thanks.