httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jos...@slive.ca>
Subject Re: [users@httpd] Limiting HTTP Methods
Date Thu, 20 Nov 2003 19:42:21 GMT

On Thu, 20 Nov 2003, Erich Oliphant wrote:

[ Limiting TRACE is pointless. ]

> Interesting reading, thanks.
>
> We're doing this after a security scan of the system.  I've informed
> people that it's done but it doesn't really buy them much.

Yes, I guess the scanner makers figure that people won't think they're
getting their money's worth unless they turn up a few vulnerabilities.  So
they add every damn thing they can think of, including the pointless ones.

I still maintain that encouraging people to do things like this is overall
harmful to security.  It is true that few people make use of TRACE
(though it does have important uses for diagnostics and debugging), so it
is not very harmful to disable it.  But having security professionals
waste their times on things like this takes time away from real security
issues (like making sure all client machines are well patched, and
auditing cgi/php/java scripts where security vulnerabilities are much more
likely to live).

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message