On 3/20/2012 7:09 AM, [email protected] wrote: > Author: jim > Date: Tue Mar 20 12:09:05 2012 > New Revision: 1302856 > > URL: http://svn.apache.org/viewvc?rev=1302856&view=rev > Log: > Merge r1302855 from trunk: > > Note that TRACE is not a vuln
Agreed. > + <p>Despite claims to the contrary, <code>TRACE</code> is not > + a security vulnerability and there is no viable reason for > + it to be disabled. Doing so necessarily makes your server > + non-compliant.</p> I'm not clear that's true. http://tools.ietf.org/html/draft-ietf-httpbis-p2-semantics-19#section-6.8 currently in last call has plenty to say about TRACE. It doesn't document a MUST requirement for a server to support TRACE requests. It reads (at least to me, anyways) that support of TRACE is a good idea. It has some comments on security implications, as well, in that document.
