On Mar 21, 2012, at 8:39 AM, Reindl Harald wrote: > > > Am 17.03.2012 10:24, schrieb Roy T. Fielding: >> On Mar 16, 2012, at 7:18 AM, Eric Covener wrote: >> >>> We still enable TRACE by default. >>> >>> Is this useful enough to justify making every other poor sap with a >>> security scanner have to manually turn it off? >> >> Yes. >> >>> I'm hoping 2.4.x is early enough in life where flipping this wouldn't >>> be too astonishing. >> >> I don't change protocols based on fool security researchers and their >> failure to correctly direct security reports. TRACE is not a vulnerability. > > 1 out of a million servers needs TRACE enabled > > it was ALWAYS a good idea to disable ANYTHING by default > what is not really needed and this principle will stay >
If admin's want that, then they can set that up. But there's no reason for the default to be something that isn't warranted.