On 3/17/20 3:18 PM, Martynas Jusevičius wrote:
why should DELETE or OPTIONS not be enabled? They are standard HTTP methods.

True, but (quoting the audit report)
. . . [DELETE] may allow a remote attacker to delete arbitrary files . . . .
and (again quoting the report)
Web servers that respond to the OPTIONS HTTP method expose what other
methods are supported by the web server, allowing attackers to narrow
and intensify their efforts.

To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to