Am 17.03.2012 10:24, schrieb Roy T. Fielding: > On Mar 16, 2012, at 7:18 AM, Eric Covener wrote: > >> We still enable TRACE by default. >> >> Is this useful enough to justify making every other poor sap with a >> security scanner have to manually turn it off? > > Yes. > >> I'm hoping 2.4.x is early enough in life where flipping this wouldn't >> be too astonishing. > > I don't change protocols based on fool security researchers and their > failure to correctly direct security reports. TRACE is not a vulnerability.
1 out of a million servers needs TRACE enabled it was ALWAYS a good idea to disable ANYTHING by default what is not really needed and this principle will stay
signature.asc
Description: OpenPGP digital signature
