I have API which is valid for POST/GET/PUT verb but if hacker intercepts the request and change method to 'OPTIONS' instead of 'GET', he will get below error in http response -

Allow: GET,POST,PUT { "Message": "The requested resource does not support http method 'OPTIONS'." }

This allows hacker to identify what verbs supported by API. I have to restrict this header in response.

I tried removing 'WebDav' module but it still showing same message. I don't want hacker to see this message and Allow header.

According to your requirement, I assumed that you could specific the supported verbs in Web.config file as follows:

<system.webServer>
  <security>
    <requestFiltering>
      <verbs allowUnlisted="false">
        <add verb="GET" allowed="true" />
        <add verb="POST" allowed="true" />
        <add verb="PUT" allowed="true" />                
      </verbs>
    </requestFiltering>
  </security>
</system.webServer>

If the client trys to access your Api with other verbs, it would receive the 404 status code. Additionally, you'd better enable authentication in your Web API for better security consideration.