On Saturday 17 March 2012, Roy T. Fielding wrote: > > We still enable TRACE by default. > > > > > > > > Is this useful enough to justify making every other poor sap with > > a security scanner have to manually turn it off? > > Yes. > > > I'm hoping 2.4.x is early enough in life where flipping this > > wouldn't be too astonishing. > > I don't change protocols based on fool security researchers and > their failure to correctly direct security reports. TRACE is not > a vulnerability.
That doesn't mean that it's a good idea to have it on by default. I can't remember ever having needed it for debugging. While it may actually be useful in reverse-proxy situations, it is usually necessary to disable it there because one does not want to leak internal information like the private IPs from X-Forwarded-For. It can also compound security issues in webapps. In general, one can say that it increases the attack surface a web server presents to the internet. I think it is a good idea to make it default to off.