What it is
Insecure HTTP methods occur when a web server allows potentially dangerous HTTP verbs such as PUT, DELETE, TRACE, or OPTIONS without proper restrictions. These methods are rarely required for public-facing websites but are often enabled by default due to misconfiguration.
Why it matters
Attackers can exploit unsafe HTTP methods to upload malicious files, alter server resources, bypass access controls, or perform cross-site tracing attacks. Even when the application logic is secure, exposed HTTP methods significantly increase the external attack surface.
How to reduce risk
Disable all unused HTTP methods at the web server or reverse proxy level and explicitly allow only those required (typically GET and POST). Regular external scanning helps identify newly exposed methods before they are abused.