https://bz.apache.org/bugzilla/show_bug.cgi?id=65357
Bug ID: 65357 Summary: TraceEnable Off Returns Empty Allow to TRACE request Product: Apache httpd-2 Version: 2.5-HEAD Hardware: All OS: All Status: NEW Severity: normal Priority: P2 Component: Core Assignee: bugs@httpd.apache.org Reporter: seth.kooi...@hpe.com Target Milestone: --- Context: Currently when setting TraceEnable Off, the server returns a 405 with various headers. One such header being the Allow header. This is required by rfc2616 and correctly implemented under that standard but not newer standards. Issue: rfc7231 obsoletes 2616 and clarifies that the Allow header must contain all valid/Allowed methods - https://datatracker.ietf.org/doc/html/rfc7231#section-6.5.5 6.5.5. 405 Method Not Allowed The 405 (Method Not Allowed) status code indicates that the method received in the request-line is known by the origin server but not supported by the target resource. The origin server MUST generate an Allow header field in a 405 response containing a list of the target resource's currently supported methods. This is not the case currently. When using the TraceEnable Off option, the server returns a 405 but the response does not match the RFC requirements. Possible Solution: Respond with {Allow: "Everything except TRACE" or "TRACE disabled"} , increasing discoverability where the user would run another request (i.e GET to the same URI) and see a correct list for that URI or When TraceEnable Off - respond to TRACE with 501 with the same rationale as the previous -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org