-
-
Notifications
You must be signed in to change notification settings - Fork 636
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add TraceEnable
#59
Comments
last i heard to be pci compliant you need to set for some reason we also had to set the following
|
👍 |
From https://httpd.apache.org/docs/current/mod/core.html#TraceEnable
@mathiasbynens Can you provide more details on why this should be done? Thanks! |
this is a bit old but if it still holds true... |
As the docs say:
There is no reason to allow
Note that per RFC 2616, support for HTTP |
@efes0, @mathiasbynens Thanks for your comments! |
For the record (and for future search-engine users stumbling across this), the original HTTP/1.1 RFC2616 mentioned above by @mathiasbynens was superceded in 2014 by a collection of updated HTTP/1.1 RFCs. That said, his point about
|
Can someone make a PR? |
The OWASP documentation on: Cross-Site Tracing (XST) suggests that:
And in Testing for HTTP Verb Tampering:
This issue is focusing solely on E.g:
|
This is what the default
/etc/apache2/conf.d/security
file says:https://httpd.apache.org/docs/2.2/mod/core.html#traceenable
It wouldn’t hurt to add
TraceEnable off
to the config (overriding the default valueon
).The text was updated successfully, but these errors were encountered: