Is it best practice nowadays to block all other HTTP requests like HEAD, PUT, PROPFIND and other webdav related calls to Plone in the frontend server and only allow GET and POST?
Last year A Plone intranet we manage where Office 365 was rolled out in the organisation started getting much more sporadic low level errors in the ZPublisher. There are coming from MS Office which I guess finds links in documents to the intranet and then shoots of all kinds of discovery requests in the hope to find SharePoint or other webdav extensions. We don’t support webdav so no problem to block those.
I’m wondering about the HEAD request though. Some parts of Zope/Plone are still supporting them, but many urls (like rss feeds) give an internal server error and some clients in the wild are still trying a HEAD. Is it fine to block HEAD as well on the frontend apache/nginx level?