agree on that.. but my company policy states that even for info/low I need to seek waiver to close it off..
just need some closure on this. if it is indeed used then i can declare that it is required and accept it. On Friday, October 30, 2020 at 5:16:20 PM UTC+8 [email protected] wrote: > Might be > https://www.rapid7.com/db/vulnerabilities/http-options-method-enabled > > "Web servers that respond to the OPTIONS HTTP method expose what other > methods are supported by the web server, allowing attackers to narrow and > intensify their efforts." > > Which feels like a bit of a stretch, it's only a problem if it enables > other attacks and given the the number of HTTP methods it won't slow down > any attacker. > It's a bit like saying "a login form exposes where to input user password > for a brute-force attack" ;) > > On Friday, 30 October 2020 at 09:01:42 UTC [email protected] wrote: > >> it gave a cvss score of 2.6 low and highlight that >> http-options-method-enabled. >> >> i could possibly have this waived off, but need to know if it is required >> or is there anyway I can disable it if it is not critical to be used. >> On Friday, October 30, 2020 at 4:12:41 PM UTC+8 [email protected] wrote: >> >>> What exactly does your security scanner say about OPTIONS on prometheus? >>> It sounds like a false positive. >>> >> -- You received this message because you are subscribed to the Google Groups "Prometheus Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/cb275600-99b1-4316-b873-1f98fe29e53cn%40googlegroups.com.
