httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <field...@gbiv.com>
Subject Re: TRACE still enabled by default
Date Sat, 17 Mar 2012 09:24:44 GMT
On Mar 16, 2012, at 7:18 AM, Eric Covener wrote:

> We still enable TRACE by default.
> 
> Is this useful enough to justify making every other poor sap with a
> security scanner have to manually turn it off?

Yes.

> I'm hoping 2.4.x is early enough in life where flipping this wouldn't
> be too astonishing.

I don't change protocols based on fool security researchers and their
failure to correctly direct security reports.  TRACE is not a vulnerability.

....Roy

Mime
View raw message