Access controls are normally effective for all
access methods, and this is the usual desired behaviour. In
the general case, access control directives should not be placed
within a <limit>
section.
The purpose of the <Limit> directive is to restrict the effect of the access controls to the nominated HTTP methods. For all other methods, the access restrictions that are enclosed in the <Limit> bracket will have no effect. The following example applies the access control only to the methods POST, PUT, and DELETE, leaving all other methods unprotected:
<Limit POST PUT DELETE>
require valid-user
</Limit>
The method names listed can be one or more of: GET, POST, PUT,
DELETE, CONNECT, OPTIONS, TRACE, PATCH, PROPFIND, PROPPATCH, MKCOL,
COPY, MOVE, LOCK, and UNLOCK. The method name is
case-sensitive. If GET is used it will also restrict HEAD
requests.