On Mar 16, 2012, at 7:18 AM, Eric Covener wrote: > We still enable TRACE by default. > > Is this useful enough to justify making every other poor sap with a > security scanner have to manually turn it off?
Yes. > I'm hoping 2.4.x is early enough in life where flipping this wouldn't > be too astonishing. I don't change protocols based on fool security researchers and their failure to correctly direct security reports. TRACE is not a vulnerability. ....Roy
