[prymitive]

Most of this behaviour comes from the desire by many companies to by compliant with a lot of security regulations. Which in many cases means silly rule like “you must run and action a security scanning system”. Because a lot of these scanners are just dumb wrappers running any piece of software that pretends to be a security scanner, and because the more rules does one have the more “valuable” it is, you end up with a race to scan the most. And that sadly translates into rules and reports like https://hackerone.com/reports/191220 - OPTIONS method can be used to check what methods does a web server accepts, therefore an attacker might use it to learn which methods to use for the attack. Except they can just try it with no effort. It’s this sort of “if you can see a lock then attacker will use that knowledge to know where the lock is” logic that must be followed by “let’s remove all locks so they cannot be attacked” response.