ACL filtering based on HTTP's method is ignored if method received from client is invalid.
To reproduce, with the default 8080 server_ports configure the remap.conf as follows.
Then run the following curl command.
Notice that a 200 OK response is received by the client with some (empty) HTML from google.com.
If the following curl command is issued instead
One will see that TS sends back a 403 Access Denied as expected.