Secured WebDAV with Office

I’ve recently implemented a technique of making Office applications save to webdav in a secure way by using tokens in conjunction with mod_security in Apache. This means that MS Word opens a document using a URL such as:

https://my.server.com/webdav/my_document.doc?token=12345:03cfd743661f07975fa2f1220c5194cbaff48451

While this works fine over HTTP there’s a problem with HTTPS. Word (or Excel) sends several requests when sending or fetching the file, such as LOCK, OPTIONS, GET, PUT or PROPFIND. The office apps strip the parameters off the PROPFIND request, so if your mod_security rules expect a token parameter then the webserver sends back a 403, and Word then opens a popup which says:

The website you want to view requests identification. Please choose a certificate.

The popup box is, however empty. While it doesn’t prevent Word from reading and writing to the file it is a bit annoying to end users.

The solution is to allow all PROPFIND requests without parameters. Add an entry to your mod_security config such as:

SecRule REQUEST_METHOD “^PROPFIND$” “phase:1,t:none,skipAfter:9999”

where 9999 is the exit rule in the setup. Voila, no more errors. 🙂


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">