Why should someone block all methods other than GET and POST in a RESTful application?












13














TL;DR:



Is there a valid reason to demand a software vendor to stop using HTTP PUT and DELETE methods in a web application and use only GET and POST? The application uses frameworks to whitelist allowed request paths and methods.



In other words, is there any difference from the security standpoint in allowing the deletion of a record via either DELETE or POST methods without changing the code and security checks in it?



Full question



Our customer configured their Tomcat instance with the following, according to their corporate standard:



<security-constraint> 
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>CONNECT</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
<auth-constraint />
</security-constraint>


This, among the Http Header Security Filter configuration, made our application break.



Our application provides the same HTTP Header security features in Spring Security. Also, our application is RESTful, so we widely use PUT and DELETE methods for file upload. In future releases, we are also planning to use websockets (but from a search, they don't use CONNECT, which is for proxying).



Our customer said that they will have to raise a policy exception in production in order remove the offending lines from Tomcat configuration and make the application work.



The security exception policy is triggered when vendor applications do not comply with security requirement in a way that 1) fixing the issue cannot be done within the schedules and 2) no evident vulnerability is found. Exception policies require senior management approval.



However, security policy exceptions require our customer to engage the vendor within 6 months in "fixing the security issue". Within 6 months, vendor has to provide costs and deadlines to meet the security policy.



This means that they will return to me asking for a quotation to make the application work with enabled HTTP method filtering and HTTP Header Security filter.



I don't want to do them a favour and change all Ajax calls from RESTful patterns to GET/POST only, not even for money if possible. I would like instead to prove that their security implementation is not only incompatible, but redundant, with regards to the security implementations within the application.



If we set a precedent in doing this customer a favour with PUT and DELETE requests, we will have to face requests like "be compatible with my framework/policy/environment" from a large customer base (all banks and financial institutions). In the future, that may turn against our cost management.



Question is, as in the TLDR, could using PUT and DELETE methods alone, regardless of the security features of the application, pose a security risk?



If proven that the sole HTTP verb does not pose a security risk, I will be able to raise a permanent exception policy and confront the IT staff with solid argumentation.



Edit



I work in a software factory that deploys the same product instance to a large number of customers and our cloud. We are fully using all the tools we have on board, including the REST pattern. We are planning to employ HATEOAS, WebSockets, resumable file downloads, and everything the web technology can offer us to deliver better experience. Yes, sounds like a marketing line. Anyway, security is still a concern in our products.










share|improve this question




















  • 3




    I had some similar circumstances happen with clients. The result until now has been, either they give up and accept the changes required to make the application work, or they pay $$$ for supporting a special branch for them. If they pay enough to outset the cost and make a profit of that situation I don't see why you shouldn't do that.
    – Bakuriu
    Dec 14 '18 at 19:39






  • 3




    Me saying this doesn't help with your problem, but your customer is stupid.
    – immibis
    Dec 14 '18 at 23:35
















13














TL;DR:



Is there a valid reason to demand a software vendor to stop using HTTP PUT and DELETE methods in a web application and use only GET and POST? The application uses frameworks to whitelist allowed request paths and methods.



In other words, is there any difference from the security standpoint in allowing the deletion of a record via either DELETE or POST methods without changing the code and security checks in it?



Full question



Our customer configured their Tomcat instance with the following, according to their corporate standard:



<security-constraint> 
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>CONNECT</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
<auth-constraint />
</security-constraint>


This, among the Http Header Security Filter configuration, made our application break.



Our application provides the same HTTP Header security features in Spring Security. Also, our application is RESTful, so we widely use PUT and DELETE methods for file upload. In future releases, we are also planning to use websockets (but from a search, they don't use CONNECT, which is for proxying).



Our customer said that they will have to raise a policy exception in production in order remove the offending lines from Tomcat configuration and make the application work.



The security exception policy is triggered when vendor applications do not comply with security requirement in a way that 1) fixing the issue cannot be done within the schedules and 2) no evident vulnerability is found. Exception policies require senior management approval.



However, security policy exceptions require our customer to engage the vendor within 6 months in "fixing the security issue". Within 6 months, vendor has to provide costs and deadlines to meet the security policy.



This means that they will return to me asking for a quotation to make the application work with enabled HTTP method filtering and HTTP Header Security filter.



I don't want to do them a favour and change all Ajax calls from RESTful patterns to GET/POST only, not even for money if possible. I would like instead to prove that their security implementation is not only incompatible, but redundant, with regards to the security implementations within the application.



If we set a precedent in doing this customer a favour with PUT and DELETE requests, we will have to face requests like "be compatible with my framework/policy/environment" from a large customer base (all banks and financial institutions). In the future, that may turn against our cost management.



Question is, as in the TLDR, could using PUT and DELETE methods alone, regardless of the security features of the application, pose a security risk?



If proven that the sole HTTP verb does not pose a security risk, I will be able to raise a permanent exception policy and confront the IT staff with solid argumentation.



Edit



I work in a software factory that deploys the same product instance to a large number of customers and our cloud. We are fully using all the tools we have on board, including the REST pattern. We are planning to employ HATEOAS, WebSockets, resumable file downloads, and everything the web technology can offer us to deliver better experience. Yes, sounds like a marketing line. Anyway, security is still a concern in our products.










share|improve this question




















  • 3




    I had some similar circumstances happen with clients. The result until now has been, either they give up and accept the changes required to make the application work, or they pay $$$ for supporting a special branch for them. If they pay enough to outset the cost and make a profit of that situation I don't see why you shouldn't do that.
    – Bakuriu
    Dec 14 '18 at 19:39






  • 3




    Me saying this doesn't help with your problem, but your customer is stupid.
    – immibis
    Dec 14 '18 at 23:35














13












13








13


2





TL;DR:



Is there a valid reason to demand a software vendor to stop using HTTP PUT and DELETE methods in a web application and use only GET and POST? The application uses frameworks to whitelist allowed request paths and methods.



In other words, is there any difference from the security standpoint in allowing the deletion of a record via either DELETE or POST methods without changing the code and security checks in it?



Full question



Our customer configured their Tomcat instance with the following, according to their corporate standard:



<security-constraint> 
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>CONNECT</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
<auth-constraint />
</security-constraint>


This, among the Http Header Security Filter configuration, made our application break.



Our application provides the same HTTP Header security features in Spring Security. Also, our application is RESTful, so we widely use PUT and DELETE methods for file upload. In future releases, we are also planning to use websockets (but from a search, they don't use CONNECT, which is for proxying).



Our customer said that they will have to raise a policy exception in production in order remove the offending lines from Tomcat configuration and make the application work.



The security exception policy is triggered when vendor applications do not comply with security requirement in a way that 1) fixing the issue cannot be done within the schedules and 2) no evident vulnerability is found. Exception policies require senior management approval.



However, security policy exceptions require our customer to engage the vendor within 6 months in "fixing the security issue". Within 6 months, vendor has to provide costs and deadlines to meet the security policy.



This means that they will return to me asking for a quotation to make the application work with enabled HTTP method filtering and HTTP Header Security filter.



I don't want to do them a favour and change all Ajax calls from RESTful patterns to GET/POST only, not even for money if possible. I would like instead to prove that their security implementation is not only incompatible, but redundant, with regards to the security implementations within the application.



If we set a precedent in doing this customer a favour with PUT and DELETE requests, we will have to face requests like "be compatible with my framework/policy/environment" from a large customer base (all banks and financial institutions). In the future, that may turn against our cost management.



Question is, as in the TLDR, could using PUT and DELETE methods alone, regardless of the security features of the application, pose a security risk?



If proven that the sole HTTP verb does not pose a security risk, I will be able to raise a permanent exception policy and confront the IT staff with solid argumentation.



Edit



I work in a software factory that deploys the same product instance to a large number of customers and our cloud. We are fully using all the tools we have on board, including the REST pattern. We are planning to employ HATEOAS, WebSockets, resumable file downloads, and everything the web technology can offer us to deliver better experience. Yes, sounds like a marketing line. Anyway, security is still a concern in our products.










share|improve this question















TL;DR:



Is there a valid reason to demand a software vendor to stop using HTTP PUT and DELETE methods in a web application and use only GET and POST? The application uses frameworks to whitelist allowed request paths and methods.



In other words, is there any difference from the security standpoint in allowing the deletion of a record via either DELETE or POST methods without changing the code and security checks in it?



Full question



Our customer configured their Tomcat instance with the following, according to their corporate standard:



<security-constraint> 
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>CONNECT</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
<auth-constraint />
</security-constraint>


This, among the Http Header Security Filter configuration, made our application break.



Our application provides the same HTTP Header security features in Spring Security. Also, our application is RESTful, so we widely use PUT and DELETE methods for file upload. In future releases, we are also planning to use websockets (but from a search, they don't use CONNECT, which is for proxying).



Our customer said that they will have to raise a policy exception in production in order remove the offending lines from Tomcat configuration and make the application work.



The security exception policy is triggered when vendor applications do not comply with security requirement in a way that 1) fixing the issue cannot be done within the schedules and 2) no evident vulnerability is found. Exception policies require senior management approval.



However, security policy exceptions require our customer to engage the vendor within 6 months in "fixing the security issue". Within 6 months, vendor has to provide costs and deadlines to meet the security policy.



This means that they will return to me asking for a quotation to make the application work with enabled HTTP method filtering and HTTP Header Security filter.



I don't want to do them a favour and change all Ajax calls from RESTful patterns to GET/POST only, not even for money if possible. I would like instead to prove that their security implementation is not only incompatible, but redundant, with regards to the security implementations within the application.



If we set a precedent in doing this customer a favour with PUT and DELETE requests, we will have to face requests like "be compatible with my framework/policy/environment" from a large customer base (all banks and financial institutions). In the future, that may turn against our cost management.



Question is, as in the TLDR, could using PUT and DELETE methods alone, regardless of the security features of the application, pose a security risk?



If proven that the sole HTTP verb does not pose a security risk, I will be able to raise a permanent exception policy and confront the IT staff with solid argumentation.



Edit



I work in a software factory that deploys the same product instance to a large number of customers and our cloud. We are fully using all the tools we have on board, including the REST pattern. We are planning to employ HATEOAS, WebSockets, resumable file downloads, and everything the web technology can offer us to deliver better experience. Yes, sounds like a marketing line. Anyway, security is still a concern in our products.







web-application http rest






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Dec 17 '18 at 16:57







usr-local-ΕΨΗΕΛΩΝ

















asked Dec 14 '18 at 16:36









usr-local-ΕΨΗΕΛΩΝusr-local-ΕΨΗΕΛΩΝ

1,346416




1,346416








  • 3




    I had some similar circumstances happen with clients. The result until now has been, either they give up and accept the changes required to make the application work, or they pay $$$ for supporting a special branch for them. If they pay enough to outset the cost and make a profit of that situation I don't see why you shouldn't do that.
    – Bakuriu
    Dec 14 '18 at 19:39






  • 3




    Me saying this doesn't help with your problem, but your customer is stupid.
    – immibis
    Dec 14 '18 at 23:35














  • 3




    I had some similar circumstances happen with clients. The result until now has been, either they give up and accept the changes required to make the application work, or they pay $$$ for supporting a special branch for them. If they pay enough to outset the cost and make a profit of that situation I don't see why you shouldn't do that.
    – Bakuriu
    Dec 14 '18 at 19:39






  • 3




    Me saying this doesn't help with your problem, but your customer is stupid.
    – immibis
    Dec 14 '18 at 23:35








3




3




I had some similar circumstances happen with clients. The result until now has been, either they give up and accept the changes required to make the application work, or they pay $$$ for supporting a special branch for them. If they pay enough to outset the cost and make a profit of that situation I don't see why you shouldn't do that.
– Bakuriu
Dec 14 '18 at 19:39




I had some similar circumstances happen with clients. The result until now has been, either they give up and accept the changes required to make the application work, or they pay $$$ for supporting a special branch for them. If they pay enough to outset the cost and make a profit of that situation I don't see why you shouldn't do that.
– Bakuriu
Dec 14 '18 at 19:39




3




3




Me saying this doesn't help with your problem, but your customer is stupid.
– immibis
Dec 14 '18 at 23:35




Me saying this doesn't help with your problem, but your customer is stupid.
– immibis
Dec 14 '18 at 23:35










3 Answers
3






active

oldest

votes


















23














I suspect this is a case of someone zealously applying "best practices" that they don't understand.



HTTP Verb Tampering Attack



The reason this best practice exists is because of the HTTP Verb Tampering Attack. From this article:




Many Web server authentication mechanisms use verb-based authentication and access controls. For example, an administrator can configure a Web server to allow unrestricted access to a Web page using HTTP GET requests, but restrict POSTs to administrators only. However, many implementations of verb-based security mechanisms enforce the security rules in an unsecure manner, allowing access to restricted resources by using alternative HTTP methods (such as HEAD) or even arbitrary character strings.




So someone decided that because some apps are badly-written, all apps should be banned from accepting HTTP verbs other than GET or POST, because ... you know ... mumble mumble SECURITY!!





My opinion (possibly incomplete / incorrect, please post comments) :




  • Pure HTML / CSS / js content should be restricted to GET and POST because these are the only verbs allowed in the HTML spec.

  • APIs (AJAX, REST) should be allowed to use any verb from the HTTP spec, that said:


    • Be aware that even if your application-layer correctly enforces verb-based access controls, your webserver front-end may not, so you owe it to your customers to do some security testing and make sure your app enforces proper authentication and access controls on all verbs that you support. I recommend following the OWASP testing guide.




It sounds like your app is fine and your customer has an overly-zealous security policy.





As an aside, HEAD is an interesting example; some security scanners seem to complain if your app responds to HEAD requests, because some apps will return valid headers without invoking the proper auth checks. However, most properly designed apps will process a full GET and then only return the headers, including the correct content-length:. So for apps using modern frameworks, there is probably no way to bypass auth logic on your GET controller. Do some quick tests though!
(Thanks @usr-local-ΕΨΗΕΛΩΝ for pointing this out in comments. See this Stack Overflow post for detail on how Spring MVC handles this.)






share|improve this answer



















  • 2




    I just noticed there's a more thorough answer to this question here: security.stackexchange.com/q/21413/61443
    – Mike Ounsworth
    Dec 14 '18 at 18:06






  • 1




    I think it's a good idea to allow HEAD when GET and POST are allowed. Lots of clients will see if a path exists by using HEAD.
    – forest
    Dec 15 '18 at 2:49








  • 1




    ...what this boils down to is, "protect the resource first, then the action". Especially since so many apps are written to only use GET/POST anyways....
    – Clockwork-Muse
    Dec 15 '18 at 6:40






  • 1




    @MikeOunsworth see stackoverflow.com/questions/45074013/…. Of course if you are writing IHttpHandler/HttpServlet code directly, you can decide not to do queries on HEAD method, because that is your code
    – usr-local-ΕΨΗΕΛΩΝ
    Dec 15 '18 at 12:45






  • 1




    Yes, that is my understanding too. I haven't inspected the code, but the comment on the linked answer provides full clarification (HEAD requests must generate the correct content length). I would likely continue the discussion out of this topic.
    – usr-local-ΕΨΗΕΛΩΝ
    Dec 17 '18 at 14:17





















0














Arguably, DELETE and PUT are safer than GET/POST because they cannot be used in CSRF attacks. Also arguably, DELETE and PUT should be protected against CSRF anyway, because it is bad to base your application's security on the assumption that every browser implementation out there follows the standards. But it's not uncommon for applications to not have that protection, so maybe that's the thinking behind the ban, although I'm reaching here a bit.



Or maybe they just disabled all methods they did not need (which is a good practice) and over time that turned from a default into an unviolable rule.






share|improve this answer





















  • If you implement CSRF using a good framework (e.g. Spring Security in my case, but can also be [AntiForgeryTokenAttribute]), that will be applied to all verbs than GET. In my case I happened to configure Angularjs to send the token header also on GET requests. Has no effect but is shorter configuration
    – usr-local-ΕΨΗΕΛΩΝ
    Dec 15 '18 at 13:17










  • "Or maybe they just disabled all methods they did not need". That is a very good point, but not applicable to my case. I mean, if you are a software company you can reasonably take such decision. But if you are a bank running your supplier's code, it's not you who decide which methods to use. Thanks for the opinion!
    – usr-local-ΕΨΗΕΛΩΝ
    Dec 17 '18 at 14:53



















0














I recommend engaging your corporate legal team soon, in order to have someone focusing on the business aspects of the discussions to come.




As part of the security exception policy, our customer's staff is obligated to engage the vendor in "fixing the security issue" within 6 months.



This means that they will return to me asking to make the application work with enabled HTTP method filtering and HTTP Header Security filter.



I don't want to do them a favour and change all Ajax calls from RESTful patterns to GET/POST only, not even for money.




Your client is obviously running their own bureaucracy, enforcing an inflexible policy. You believe you have three possible paths:




  1. Convince them to change their policy.

  2. Make the undesirable change.

  3. Risk losing them as a customer.


Even though it appears to you to be a logical, technical decision, getting policies changed requires a fair amount of political wrangling. The person you are dealing with on the other side of the discussion may or may not have the standing in his company needed to successfully make such a request. He may not want to waste his time fighting his own bureaucracy for the change. His life might be considerably easier if he changes vendors and uses someone else’s product that already complies with their policies. Worse for you, his boss’ life will almost certainly be easier if he just changes vendors.



It would be irresponsible of you to think that you can succeed at getting them to change their policy without doing some serious planning for the other outcomes.



Good customers are hard enough to come by. You owe it to your company to carefully weigh the risk of losing one over this.






share|improve this answer





















  • "It would be irresponsible of you to think that you can succeed at getting them to change their policy without doing some serious planning for the other outcomes." > Personally, I can use the outcome of this discussion to prove the customer that the application is already enforcing what they are expecting and request a permanent policy exception for that. Let me edit
    – usr-local-ΕΨΗΕΛΩΝ
    Dec 17 '18 at 16:51











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f199776%2fwhy-should-someone-block-all-methods-other-than-get-and-post-in-a-restful-applic%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























3 Answers
3






active

oldest

votes








3 Answers
3






active

oldest

votes









active

oldest

votes






active

oldest

votes









23














I suspect this is a case of someone zealously applying "best practices" that they don't understand.



HTTP Verb Tampering Attack



The reason this best practice exists is because of the HTTP Verb Tampering Attack. From this article:




Many Web server authentication mechanisms use verb-based authentication and access controls. For example, an administrator can configure a Web server to allow unrestricted access to a Web page using HTTP GET requests, but restrict POSTs to administrators only. However, many implementations of verb-based security mechanisms enforce the security rules in an unsecure manner, allowing access to restricted resources by using alternative HTTP methods (such as HEAD) or even arbitrary character strings.




So someone decided that because some apps are badly-written, all apps should be banned from accepting HTTP verbs other than GET or POST, because ... you know ... mumble mumble SECURITY!!





My opinion (possibly incomplete / incorrect, please post comments) :




  • Pure HTML / CSS / js content should be restricted to GET and POST because these are the only verbs allowed in the HTML spec.

  • APIs (AJAX, REST) should be allowed to use any verb from the HTTP spec, that said:


    • Be aware that even if your application-layer correctly enforces verb-based access controls, your webserver front-end may not, so you owe it to your customers to do some security testing and make sure your app enforces proper authentication and access controls on all verbs that you support. I recommend following the OWASP testing guide.




It sounds like your app is fine and your customer has an overly-zealous security policy.





As an aside, HEAD is an interesting example; some security scanners seem to complain if your app responds to HEAD requests, because some apps will return valid headers without invoking the proper auth checks. However, most properly designed apps will process a full GET and then only return the headers, including the correct content-length:. So for apps using modern frameworks, there is probably no way to bypass auth logic on your GET controller. Do some quick tests though!
(Thanks @usr-local-ΕΨΗΕΛΩΝ for pointing this out in comments. See this Stack Overflow post for detail on how Spring MVC handles this.)






share|improve this answer



















  • 2




    I just noticed there's a more thorough answer to this question here: security.stackexchange.com/q/21413/61443
    – Mike Ounsworth
    Dec 14 '18 at 18:06






  • 1




    I think it's a good idea to allow HEAD when GET and POST are allowed. Lots of clients will see if a path exists by using HEAD.
    – forest
    Dec 15 '18 at 2:49








  • 1




    ...what this boils down to is, "protect the resource first, then the action". Especially since so many apps are written to only use GET/POST anyways....
    – Clockwork-Muse
    Dec 15 '18 at 6:40






  • 1




    @MikeOunsworth see stackoverflow.com/questions/45074013/…. Of course if you are writing IHttpHandler/HttpServlet code directly, you can decide not to do queries on HEAD method, because that is your code
    – usr-local-ΕΨΗΕΛΩΝ
    Dec 15 '18 at 12:45






  • 1




    Yes, that is my understanding too. I haven't inspected the code, but the comment on the linked answer provides full clarification (HEAD requests must generate the correct content length). I would likely continue the discussion out of this topic.
    – usr-local-ΕΨΗΕΛΩΝ
    Dec 17 '18 at 14:17


















23














I suspect this is a case of someone zealously applying "best practices" that they don't understand.



HTTP Verb Tampering Attack



The reason this best practice exists is because of the HTTP Verb Tampering Attack. From this article:




Many Web server authentication mechanisms use verb-based authentication and access controls. For example, an administrator can configure a Web server to allow unrestricted access to a Web page using HTTP GET requests, but restrict POSTs to administrators only. However, many implementations of verb-based security mechanisms enforce the security rules in an unsecure manner, allowing access to restricted resources by using alternative HTTP methods (such as HEAD) or even arbitrary character strings.




So someone decided that because some apps are badly-written, all apps should be banned from accepting HTTP verbs other than GET or POST, because ... you know ... mumble mumble SECURITY!!





My opinion (possibly incomplete / incorrect, please post comments) :




  • Pure HTML / CSS / js content should be restricted to GET and POST because these are the only verbs allowed in the HTML spec.

  • APIs (AJAX, REST) should be allowed to use any verb from the HTTP spec, that said:


    • Be aware that even if your application-layer correctly enforces verb-based access controls, your webserver front-end may not, so you owe it to your customers to do some security testing and make sure your app enforces proper authentication and access controls on all verbs that you support. I recommend following the OWASP testing guide.




It sounds like your app is fine and your customer has an overly-zealous security policy.





As an aside, HEAD is an interesting example; some security scanners seem to complain if your app responds to HEAD requests, because some apps will return valid headers without invoking the proper auth checks. However, most properly designed apps will process a full GET and then only return the headers, including the correct content-length:. So for apps using modern frameworks, there is probably no way to bypass auth logic on your GET controller. Do some quick tests though!
(Thanks @usr-local-ΕΨΗΕΛΩΝ for pointing this out in comments. See this Stack Overflow post for detail on how Spring MVC handles this.)






share|improve this answer



















  • 2




    I just noticed there's a more thorough answer to this question here: security.stackexchange.com/q/21413/61443
    – Mike Ounsworth
    Dec 14 '18 at 18:06






  • 1




    I think it's a good idea to allow HEAD when GET and POST are allowed. Lots of clients will see if a path exists by using HEAD.
    – forest
    Dec 15 '18 at 2:49








  • 1




    ...what this boils down to is, "protect the resource first, then the action". Especially since so many apps are written to only use GET/POST anyways....
    – Clockwork-Muse
    Dec 15 '18 at 6:40






  • 1




    @MikeOunsworth see stackoverflow.com/questions/45074013/…. Of course if you are writing IHttpHandler/HttpServlet code directly, you can decide not to do queries on HEAD method, because that is your code
    – usr-local-ΕΨΗΕΛΩΝ
    Dec 15 '18 at 12:45






  • 1




    Yes, that is my understanding too. I haven't inspected the code, but the comment on the linked answer provides full clarification (HEAD requests must generate the correct content length). I would likely continue the discussion out of this topic.
    – usr-local-ΕΨΗΕΛΩΝ
    Dec 17 '18 at 14:17
















23












23








23






I suspect this is a case of someone zealously applying "best practices" that they don't understand.



HTTP Verb Tampering Attack



The reason this best practice exists is because of the HTTP Verb Tampering Attack. From this article:




Many Web server authentication mechanisms use verb-based authentication and access controls. For example, an administrator can configure a Web server to allow unrestricted access to a Web page using HTTP GET requests, but restrict POSTs to administrators only. However, many implementations of verb-based security mechanisms enforce the security rules in an unsecure manner, allowing access to restricted resources by using alternative HTTP methods (such as HEAD) or even arbitrary character strings.




So someone decided that because some apps are badly-written, all apps should be banned from accepting HTTP verbs other than GET or POST, because ... you know ... mumble mumble SECURITY!!





My opinion (possibly incomplete / incorrect, please post comments) :




  • Pure HTML / CSS / js content should be restricted to GET and POST because these are the only verbs allowed in the HTML spec.

  • APIs (AJAX, REST) should be allowed to use any verb from the HTTP spec, that said:


    • Be aware that even if your application-layer correctly enforces verb-based access controls, your webserver front-end may not, so you owe it to your customers to do some security testing and make sure your app enforces proper authentication and access controls on all verbs that you support. I recommend following the OWASP testing guide.




It sounds like your app is fine and your customer has an overly-zealous security policy.





As an aside, HEAD is an interesting example; some security scanners seem to complain if your app responds to HEAD requests, because some apps will return valid headers without invoking the proper auth checks. However, most properly designed apps will process a full GET and then only return the headers, including the correct content-length:. So for apps using modern frameworks, there is probably no way to bypass auth logic on your GET controller. Do some quick tests though!
(Thanks @usr-local-ΕΨΗΕΛΩΝ for pointing this out in comments. See this Stack Overflow post for detail on how Spring MVC handles this.)






share|improve this answer














I suspect this is a case of someone zealously applying "best practices" that they don't understand.



HTTP Verb Tampering Attack



The reason this best practice exists is because of the HTTP Verb Tampering Attack. From this article:




Many Web server authentication mechanisms use verb-based authentication and access controls. For example, an administrator can configure a Web server to allow unrestricted access to a Web page using HTTP GET requests, but restrict POSTs to administrators only. However, many implementations of verb-based security mechanisms enforce the security rules in an unsecure manner, allowing access to restricted resources by using alternative HTTP methods (such as HEAD) or even arbitrary character strings.




So someone decided that because some apps are badly-written, all apps should be banned from accepting HTTP verbs other than GET or POST, because ... you know ... mumble mumble SECURITY!!





My opinion (possibly incomplete / incorrect, please post comments) :




  • Pure HTML / CSS / js content should be restricted to GET and POST because these are the only verbs allowed in the HTML spec.

  • APIs (AJAX, REST) should be allowed to use any verb from the HTTP spec, that said:


    • Be aware that even if your application-layer correctly enforces verb-based access controls, your webserver front-end may not, so you owe it to your customers to do some security testing and make sure your app enforces proper authentication and access controls on all verbs that you support. I recommend following the OWASP testing guide.




It sounds like your app is fine and your customer has an overly-zealous security policy.





As an aside, HEAD is an interesting example; some security scanners seem to complain if your app responds to HEAD requests, because some apps will return valid headers without invoking the proper auth checks. However, most properly designed apps will process a full GET and then only return the headers, including the correct content-length:. So for apps using modern frameworks, there is probably no way to bypass auth logic on your GET controller. Do some quick tests though!
(Thanks @usr-local-ΕΨΗΕΛΩΝ for pointing this out in comments. See this Stack Overflow post for detail on how Spring MVC handles this.)







share|improve this answer














share|improve this answer



share|improve this answer








edited Dec 17 '18 at 16:14

























answered Dec 14 '18 at 17:03









Mike OunsworthMike Ounsworth

38.9k1593138




38.9k1593138








  • 2




    I just noticed there's a more thorough answer to this question here: security.stackexchange.com/q/21413/61443
    – Mike Ounsworth
    Dec 14 '18 at 18:06






  • 1




    I think it's a good idea to allow HEAD when GET and POST are allowed. Lots of clients will see if a path exists by using HEAD.
    – forest
    Dec 15 '18 at 2:49








  • 1




    ...what this boils down to is, "protect the resource first, then the action". Especially since so many apps are written to only use GET/POST anyways....
    – Clockwork-Muse
    Dec 15 '18 at 6:40






  • 1




    @MikeOunsworth see stackoverflow.com/questions/45074013/…. Of course if you are writing IHttpHandler/HttpServlet code directly, you can decide not to do queries on HEAD method, because that is your code
    – usr-local-ΕΨΗΕΛΩΝ
    Dec 15 '18 at 12:45






  • 1




    Yes, that is my understanding too. I haven't inspected the code, but the comment on the linked answer provides full clarification (HEAD requests must generate the correct content length). I would likely continue the discussion out of this topic.
    – usr-local-ΕΨΗΕΛΩΝ
    Dec 17 '18 at 14:17
















  • 2




    I just noticed there's a more thorough answer to this question here: security.stackexchange.com/q/21413/61443
    – Mike Ounsworth
    Dec 14 '18 at 18:06






  • 1




    I think it's a good idea to allow HEAD when GET and POST are allowed. Lots of clients will see if a path exists by using HEAD.
    – forest
    Dec 15 '18 at 2:49








  • 1




    ...what this boils down to is, "protect the resource first, then the action". Especially since so many apps are written to only use GET/POST anyways....
    – Clockwork-Muse
    Dec 15 '18 at 6:40






  • 1




    @MikeOunsworth see stackoverflow.com/questions/45074013/…. Of course if you are writing IHttpHandler/HttpServlet code directly, you can decide not to do queries on HEAD method, because that is your code
    – usr-local-ΕΨΗΕΛΩΝ
    Dec 15 '18 at 12:45






  • 1




    Yes, that is my understanding too. I haven't inspected the code, but the comment on the linked answer provides full clarification (HEAD requests must generate the correct content length). I would likely continue the discussion out of this topic.
    – usr-local-ΕΨΗΕΛΩΝ
    Dec 17 '18 at 14:17










2




2




I just noticed there's a more thorough answer to this question here: security.stackexchange.com/q/21413/61443
– Mike Ounsworth
Dec 14 '18 at 18:06




I just noticed there's a more thorough answer to this question here: security.stackexchange.com/q/21413/61443
– Mike Ounsworth
Dec 14 '18 at 18:06




1




1




I think it's a good idea to allow HEAD when GET and POST are allowed. Lots of clients will see if a path exists by using HEAD.
– forest
Dec 15 '18 at 2:49






I think it's a good idea to allow HEAD when GET and POST are allowed. Lots of clients will see if a path exists by using HEAD.
– forest
Dec 15 '18 at 2:49






1




1




...what this boils down to is, "protect the resource first, then the action". Especially since so many apps are written to only use GET/POST anyways....
– Clockwork-Muse
Dec 15 '18 at 6:40




...what this boils down to is, "protect the resource first, then the action". Especially since so many apps are written to only use GET/POST anyways....
– Clockwork-Muse
Dec 15 '18 at 6:40




1




1




@MikeOunsworth see stackoverflow.com/questions/45074013/…. Of course if you are writing IHttpHandler/HttpServlet code directly, you can decide not to do queries on HEAD method, because that is your code
– usr-local-ΕΨΗΕΛΩΝ
Dec 15 '18 at 12:45




@MikeOunsworth see stackoverflow.com/questions/45074013/…. Of course if you are writing IHttpHandler/HttpServlet code directly, you can decide not to do queries on HEAD method, because that is your code
– usr-local-ΕΨΗΕΛΩΝ
Dec 15 '18 at 12:45




1




1




Yes, that is my understanding too. I haven't inspected the code, but the comment on the linked answer provides full clarification (HEAD requests must generate the correct content length). I would likely continue the discussion out of this topic.
– usr-local-ΕΨΗΕΛΩΝ
Dec 17 '18 at 14:17






Yes, that is my understanding too. I haven't inspected the code, but the comment on the linked answer provides full clarification (HEAD requests must generate the correct content length). I would likely continue the discussion out of this topic.
– usr-local-ΕΨΗΕΛΩΝ
Dec 17 '18 at 14:17















0














Arguably, DELETE and PUT are safer than GET/POST because they cannot be used in CSRF attacks. Also arguably, DELETE and PUT should be protected against CSRF anyway, because it is bad to base your application's security on the assumption that every browser implementation out there follows the standards. But it's not uncommon for applications to not have that protection, so maybe that's the thinking behind the ban, although I'm reaching here a bit.



Or maybe they just disabled all methods they did not need (which is a good practice) and over time that turned from a default into an unviolable rule.






share|improve this answer





















  • If you implement CSRF using a good framework (e.g. Spring Security in my case, but can also be [AntiForgeryTokenAttribute]), that will be applied to all verbs than GET. In my case I happened to configure Angularjs to send the token header also on GET requests. Has no effect but is shorter configuration
    – usr-local-ΕΨΗΕΛΩΝ
    Dec 15 '18 at 13:17










  • "Or maybe they just disabled all methods they did not need". That is a very good point, but not applicable to my case. I mean, if you are a software company you can reasonably take such decision. But if you are a bank running your supplier's code, it's not you who decide which methods to use. Thanks for the opinion!
    – usr-local-ΕΨΗΕΛΩΝ
    Dec 17 '18 at 14:53
















0














Arguably, DELETE and PUT are safer than GET/POST because they cannot be used in CSRF attacks. Also arguably, DELETE and PUT should be protected against CSRF anyway, because it is bad to base your application's security on the assumption that every browser implementation out there follows the standards. But it's not uncommon for applications to not have that protection, so maybe that's the thinking behind the ban, although I'm reaching here a bit.



Or maybe they just disabled all methods they did not need (which is a good practice) and over time that turned from a default into an unviolable rule.






share|improve this answer





















  • If you implement CSRF using a good framework (e.g. Spring Security in my case, but can also be [AntiForgeryTokenAttribute]), that will be applied to all verbs than GET. In my case I happened to configure Angularjs to send the token header also on GET requests. Has no effect but is shorter configuration
    – usr-local-ΕΨΗΕΛΩΝ
    Dec 15 '18 at 13:17










  • "Or maybe they just disabled all methods they did not need". That is a very good point, but not applicable to my case. I mean, if you are a software company you can reasonably take such decision. But if you are a bank running your supplier's code, it's not you who decide which methods to use. Thanks for the opinion!
    – usr-local-ΕΨΗΕΛΩΝ
    Dec 17 '18 at 14:53














0












0








0






Arguably, DELETE and PUT are safer than GET/POST because they cannot be used in CSRF attacks. Also arguably, DELETE and PUT should be protected against CSRF anyway, because it is bad to base your application's security on the assumption that every browser implementation out there follows the standards. But it's not uncommon for applications to not have that protection, so maybe that's the thinking behind the ban, although I'm reaching here a bit.



Or maybe they just disabled all methods they did not need (which is a good practice) and over time that turned from a default into an unviolable rule.






share|improve this answer












Arguably, DELETE and PUT are safer than GET/POST because they cannot be used in CSRF attacks. Also arguably, DELETE and PUT should be protected against CSRF anyway, because it is bad to base your application's security on the assumption that every browser implementation out there follows the standards. But it's not uncommon for applications to not have that protection, so maybe that's the thinking behind the ban, although I'm reaching here a bit.



Or maybe they just disabled all methods they did not need (which is a good practice) and over time that turned from a default into an unviolable rule.







share|improve this answer












share|improve this answer



share|improve this answer










answered Dec 15 '18 at 2:46









TgrTgr

568210




568210












  • If you implement CSRF using a good framework (e.g. Spring Security in my case, but can also be [AntiForgeryTokenAttribute]), that will be applied to all verbs than GET. In my case I happened to configure Angularjs to send the token header also on GET requests. Has no effect but is shorter configuration
    – usr-local-ΕΨΗΕΛΩΝ
    Dec 15 '18 at 13:17










  • "Or maybe they just disabled all methods they did not need". That is a very good point, but not applicable to my case. I mean, if you are a software company you can reasonably take such decision. But if you are a bank running your supplier's code, it's not you who decide which methods to use. Thanks for the opinion!
    – usr-local-ΕΨΗΕΛΩΝ
    Dec 17 '18 at 14:53


















  • If you implement CSRF using a good framework (e.g. Spring Security in my case, but can also be [AntiForgeryTokenAttribute]), that will be applied to all verbs than GET. In my case I happened to configure Angularjs to send the token header also on GET requests. Has no effect but is shorter configuration
    – usr-local-ΕΨΗΕΛΩΝ
    Dec 15 '18 at 13:17










  • "Or maybe they just disabled all methods they did not need". That is a very good point, but not applicable to my case. I mean, if you are a software company you can reasonably take such decision. But if you are a bank running your supplier's code, it's not you who decide which methods to use. Thanks for the opinion!
    – usr-local-ΕΨΗΕΛΩΝ
    Dec 17 '18 at 14:53
















If you implement CSRF using a good framework (e.g. Spring Security in my case, but can also be [AntiForgeryTokenAttribute]), that will be applied to all verbs than GET. In my case I happened to configure Angularjs to send the token header also on GET requests. Has no effect but is shorter configuration
– usr-local-ΕΨΗΕΛΩΝ
Dec 15 '18 at 13:17




If you implement CSRF using a good framework (e.g. Spring Security in my case, but can also be [AntiForgeryTokenAttribute]), that will be applied to all verbs than GET. In my case I happened to configure Angularjs to send the token header also on GET requests. Has no effect but is shorter configuration
– usr-local-ΕΨΗΕΛΩΝ
Dec 15 '18 at 13:17












"Or maybe they just disabled all methods they did not need". That is a very good point, but not applicable to my case. I mean, if you are a software company you can reasonably take such decision. But if you are a bank running your supplier's code, it's not you who decide which methods to use. Thanks for the opinion!
– usr-local-ΕΨΗΕΛΩΝ
Dec 17 '18 at 14:53




"Or maybe they just disabled all methods they did not need". That is a very good point, but not applicable to my case. I mean, if you are a software company you can reasonably take such decision. But if you are a bank running your supplier's code, it's not you who decide which methods to use. Thanks for the opinion!
– usr-local-ΕΨΗΕΛΩΝ
Dec 17 '18 at 14:53











0














I recommend engaging your corporate legal team soon, in order to have someone focusing on the business aspects of the discussions to come.




As part of the security exception policy, our customer's staff is obligated to engage the vendor in "fixing the security issue" within 6 months.



This means that they will return to me asking to make the application work with enabled HTTP method filtering and HTTP Header Security filter.



I don't want to do them a favour and change all Ajax calls from RESTful patterns to GET/POST only, not even for money.




Your client is obviously running their own bureaucracy, enforcing an inflexible policy. You believe you have three possible paths:




  1. Convince them to change their policy.

  2. Make the undesirable change.

  3. Risk losing them as a customer.


Even though it appears to you to be a logical, technical decision, getting policies changed requires a fair amount of political wrangling. The person you are dealing with on the other side of the discussion may or may not have the standing in his company needed to successfully make such a request. He may not want to waste his time fighting his own bureaucracy for the change. His life might be considerably easier if he changes vendors and uses someone else’s product that already complies with their policies. Worse for you, his boss’ life will almost certainly be easier if he just changes vendors.



It would be irresponsible of you to think that you can succeed at getting them to change their policy without doing some serious planning for the other outcomes.



Good customers are hard enough to come by. You owe it to your company to carefully weigh the risk of losing one over this.






share|improve this answer





















  • "It would be irresponsible of you to think that you can succeed at getting them to change their policy without doing some serious planning for the other outcomes." > Personally, I can use the outcome of this discussion to prove the customer that the application is already enforcing what they are expecting and request a permanent policy exception for that. Let me edit
    – usr-local-ΕΨΗΕΛΩΝ
    Dec 17 '18 at 16:51
















0














I recommend engaging your corporate legal team soon, in order to have someone focusing on the business aspects of the discussions to come.




As part of the security exception policy, our customer's staff is obligated to engage the vendor in "fixing the security issue" within 6 months.



This means that they will return to me asking to make the application work with enabled HTTP method filtering and HTTP Header Security filter.



I don't want to do them a favour and change all Ajax calls from RESTful patterns to GET/POST only, not even for money.




Your client is obviously running their own bureaucracy, enforcing an inflexible policy. You believe you have three possible paths:




  1. Convince them to change their policy.

  2. Make the undesirable change.

  3. Risk losing them as a customer.


Even though it appears to you to be a logical, technical decision, getting policies changed requires a fair amount of political wrangling. The person you are dealing with on the other side of the discussion may or may not have the standing in his company needed to successfully make such a request. He may not want to waste his time fighting his own bureaucracy for the change. His life might be considerably easier if he changes vendors and uses someone else’s product that already complies with their policies. Worse for you, his boss’ life will almost certainly be easier if he just changes vendors.



It would be irresponsible of you to think that you can succeed at getting them to change their policy without doing some serious planning for the other outcomes.



Good customers are hard enough to come by. You owe it to your company to carefully weigh the risk of losing one over this.






share|improve this answer





















  • "It would be irresponsible of you to think that you can succeed at getting them to change their policy without doing some serious planning for the other outcomes." > Personally, I can use the outcome of this discussion to prove the customer that the application is already enforcing what they are expecting and request a permanent policy exception for that. Let me edit
    – usr-local-ΕΨΗΕΛΩΝ
    Dec 17 '18 at 16:51














0












0








0






I recommend engaging your corporate legal team soon, in order to have someone focusing on the business aspects of the discussions to come.




As part of the security exception policy, our customer's staff is obligated to engage the vendor in "fixing the security issue" within 6 months.



This means that they will return to me asking to make the application work with enabled HTTP method filtering and HTTP Header Security filter.



I don't want to do them a favour and change all Ajax calls from RESTful patterns to GET/POST only, not even for money.




Your client is obviously running their own bureaucracy, enforcing an inflexible policy. You believe you have three possible paths:




  1. Convince them to change their policy.

  2. Make the undesirable change.

  3. Risk losing them as a customer.


Even though it appears to you to be a logical, technical decision, getting policies changed requires a fair amount of political wrangling. The person you are dealing with on the other side of the discussion may or may not have the standing in his company needed to successfully make such a request. He may not want to waste his time fighting his own bureaucracy for the change. His life might be considerably easier if he changes vendors and uses someone else’s product that already complies with their policies. Worse for you, his boss’ life will almost certainly be easier if he just changes vendors.



It would be irresponsible of you to think that you can succeed at getting them to change their policy without doing some serious planning for the other outcomes.



Good customers are hard enough to come by. You owe it to your company to carefully weigh the risk of losing one over this.






share|improve this answer












I recommend engaging your corporate legal team soon, in order to have someone focusing on the business aspects of the discussions to come.




As part of the security exception policy, our customer's staff is obligated to engage the vendor in "fixing the security issue" within 6 months.



This means that they will return to me asking to make the application work with enabled HTTP method filtering and HTTP Header Security filter.



I don't want to do them a favour and change all Ajax calls from RESTful patterns to GET/POST only, not even for money.




Your client is obviously running their own bureaucracy, enforcing an inflexible policy. You believe you have three possible paths:




  1. Convince them to change their policy.

  2. Make the undesirable change.

  3. Risk losing them as a customer.


Even though it appears to you to be a logical, technical decision, getting policies changed requires a fair amount of political wrangling. The person you are dealing with on the other side of the discussion may or may not have the standing in his company needed to successfully make such a request. He may not want to waste his time fighting his own bureaucracy for the change. His life might be considerably easier if he changes vendors and uses someone else’s product that already complies with their policies. Worse for you, his boss’ life will almost certainly be easier if he just changes vendors.



It would be irresponsible of you to think that you can succeed at getting them to change their policy without doing some serious planning for the other outcomes.



Good customers are hard enough to come by. You owe it to your company to carefully weigh the risk of losing one over this.







share|improve this answer












share|improve this answer



share|improve this answer










answered Dec 17 '18 at 16:25









John DetersJohn Deters

26.3k24087




26.3k24087












  • "It would be irresponsible of you to think that you can succeed at getting them to change their policy without doing some serious planning for the other outcomes." > Personally, I can use the outcome of this discussion to prove the customer that the application is already enforcing what they are expecting and request a permanent policy exception for that. Let me edit
    – usr-local-ΕΨΗΕΛΩΝ
    Dec 17 '18 at 16:51


















  • "It would be irresponsible of you to think that you can succeed at getting them to change their policy without doing some serious planning for the other outcomes." > Personally, I can use the outcome of this discussion to prove the customer that the application is already enforcing what they are expecting and request a permanent policy exception for that. Let me edit
    – usr-local-ΕΨΗΕΛΩΝ
    Dec 17 '18 at 16:51
















"It would be irresponsible of you to think that you can succeed at getting them to change their policy without doing some serious planning for the other outcomes." > Personally, I can use the outcome of this discussion to prove the customer that the application is already enforcing what they are expecting and request a permanent policy exception for that. Let me edit
– usr-local-ΕΨΗΕΛΩΝ
Dec 17 '18 at 16:51




"It would be irresponsible of you to think that you can succeed at getting them to change their policy without doing some serious planning for the other outcomes." > Personally, I can use the outcome of this discussion to prove the customer that the application is already enforcing what they are expecting and request a permanent policy exception for that. Let me edit
– usr-local-ΕΨΗΕΛΩΝ
Dec 17 '18 at 16:51


















draft saved

draft discarded




















































Thanks for contributing an answer to Information Security Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f199776%2fwhy-should-someone-block-all-methods-other-than-get-and-post-in-a-restful-applic%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Plaza Victoria

Puebla de Zaragoza

Musa