Hi, why should DELETE or OPTIONS not be enabled? They are standard HTTP methods.
On Tue, Mar 17, 2020 at 11:05 PM James H. H. Lampert <jam...@touchtonecorp.com> wrote: > > Ladies and Gentlemen: > > One of our customers did a security audit on the Tomcat server we > maintain on their system, and it found a few issues: > > First, it found a cross-site scripting vulnerability. > > Second, it found the HTTP DELETE method enabled. > > Third, it found a click-jacking vulnerability. > > Fourth, it found the HTTP OPTIONS method enabled. > > Back in October, the click-jacking vulnerability came up on another > customer box; I've found the thread, and just now set up the filter and > filter-mapping in conf/web.xml, so that is hopefully taken care of in > the next restart. > > But I have no idea what to do about the cross-site scripting > vulnerability, or the DELETE and OPTIONS methods, and I'm having trouble > understanding the materials I've found. > > -- > JHHL > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org