httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <...@jaguNET.com>
Subject Re: TRACE still enabled by default
Date Thu, 22 Mar 2012 14:57:00 GMT

On Mar 21, 2012, at 8:39 AM, Reindl Harald wrote:

> 
> 
> Am 17.03.2012 10:24, schrieb Roy T. Fielding:
>> On Mar 16, 2012, at 7:18 AM, Eric Covener wrote:
>> 
>>> We still enable TRACE by default.
>>> 
>>> Is this useful enough to justify making every other poor sap with a
>>> security scanner have to manually turn it off?
>> 
>> Yes.
>> 
>>> I'm hoping 2.4.x is early enough in life where flipping this wouldn't
>>> be too astonishing.
>> 
>> I don't change protocols based on fool security researchers and their
>> failure to correctly direct security reports.  TRACE is not a vulnerability.
> 
> 1 out of a million servers needs TRACE enabled
> 
> it was ALWAYS a good idea to disable ANYTHING by default
> what is not really needed and this principle will stay
> 

If admin's want that, then they can set that up. But there's
no reason for the default to be something that isn't warranted.
Mime
View raw message