httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: TRACE still enabled by default
Date Wed, 21 Mar 2012 12:39:02 GMT


Am 17.03.2012 10:24, schrieb Roy T. Fielding:
> On Mar 16, 2012, at 7:18 AM, Eric Covener wrote:
> 
>> We still enable TRACE by default.
>>
>> Is this useful enough to justify making every other poor sap with a
>> security scanner have to manually turn it off?
> 
> Yes.
> 
>> I'm hoping 2.4.x is early enough in life where flipping this wouldn't
>> be too astonishing.
> 
> I don't change protocols based on fool security researchers and their
> failure to correctly direct security reports.  TRACE is not a vulnerability.

1 out of a million servers needs TRACE enabled

it was ALWAYS a good idea to disable ANYTHING by default
what is not really needed and this principle will stay


Mime
View raw message