httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Bannister <>
Subject Re: TRACE still enabled by default
Date Wed, 21 Mar 2012 21:52:38 GMT
On 21 Mar 2012, at 21:46, Stefan Fritsch wrote:

> But one thing that would be very interesting in this case, namely the X-Forwarded-For
header, is something that most admins of a reverse-proxied site do NOT want to disclose at
the end-point. They may also not want to reveal other headers sent from the reverse proxy
to the end-point.

The same may apply to Via: … and in both cases the answer may be to disable or restrict
the TRACE method.
But isn't this more a documentation issue than an argument for changing the compiled-in default?

Tim Bannister –

View raw message