httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch>
Subject Re: TRACE still enabled by default
Date Tue, 20 Mar 2012 19:04:31 GMT
On Saturday 17 March 2012, Roy T. Fielding wrote:
> > We still enable TRACE by default.
> >
> > 
> >
> > Is this useful enough to justify making every other poor sap with
> > a security scanner have to manually turn it off?
> Yes.
> > I'm hoping 2.4.x is early enough in life where flipping this
> > wouldn't be too astonishing.
> I don't change protocols based on fool security researchers and
> their failure to correctly direct security reports.  TRACE is not
> a vulnerability.

That doesn't mean that it's a good idea to have it on by default. I 
can't remember ever having needed it for debugging. While it may 
actually be useful in reverse-proxy situations, it is usually 
necessary to disable it there because one does not want to leak 
internal information like the private IPs from X-Forwarded-For.

It can also compound security issues in webapps. In general, one can 
say that it increases the attack surface a web server presents to the 
internet. I think it is a good idea to make it default to off.

View raw message