Mark,
On 9/8/21 11:28, Mark Thomas wrote:
On 08/09/2021 16:15, Gilles Robert wrote:
My issue is that even though TRACE is disabled, we see the "malicious"
header in the response.
You need to talk to the Spring folks then. Default Tomcat behaviour is
to return a 405 with an error message in t
On 08/09/2021 16:15, Gilles Robert wrote:
My issue is that even though TRACE is disabled, we see the "malicious"
header in the response.
You need to talk to the Spring folks then. Default Tomcat behaviour is
to return a 405 with an error message in the response. I've just doubled
checked this
My issue is that even though TRACE is disabled, we see the "malicious"
header in the response.
On Wed, 8 Sept 2021 at 17:01, Mark Thomas wrote:
>
> On 08/09/2021 14:14, Gilles Robert wrote:
> > Hi,
> >
> > Using Spring boot (2.5.4) with Tomcat (9.0.52), the HTTP TRACE method
> > is disabled by de
On 08/09/2021 14:14, Gilles Robert wrote:
Hi,
Using Spring boot (2.5.4) with Tomcat (9.0.52), the HTTP TRACE method
is disabled by default and returns a 405 method not allowed, which is
what I expect security-wise. My issue is that if one gives a malicious
header:
header: malicious: alert('mali
Hi,
Using Spring boot (2.5.4) with Tomcat (9.0.52), the HTTP TRACE method
is disabled by default and returns a 405 method not allowed, which is
what I expect security-wise. My issue is that if one gives a malicious
header:
header: malicious: alert('malicious call');
it's given back in the respon
