¶ Authentication and Transport
- Require HTTPS for all WebDAV traffic.
- Disable basic auth over plaintext and enforce strong credentials.
- Use client certificate auth or SSO where supported.
- Grant directory-level permissions by role.
- Disable write operations for read-only consumers.
- Avoid sharing root filesystem paths.
- Disable unused HTTP methods not required by clients.
- Restrict upload size and request limits to reduce abuse risk.
- Keep underlying web server modules patched.
¶ Logging and Response
- Log WebDAV methods (
PROPFIND, PUT, MOVE, DELETE) centrally.
- Alert on destructive operations outside maintenance windows.
- Keep tested backup/restore procedures for shared content.