[DSIP-37] Disable HTTP TRACE requests in jetty via configuration

Question

[DSIP-37] Disable HTTP TRACE requests in jetty via configuration

jfifth opened this issue a month ago · comments

Search before asking

I had searched in the DSIP and found no similar DSIP.

Motivation

DS was scanned for TRACE vulnerability。An attacker exploiting a TRACE request, in combination with other browser-side vulnerabilities, could potentially conduct a cross-site scripting attack to obtain sensitive information, such as authentication information in a cookie, which would be used in other types of attacks.

Design Detail

jetty TRACE requests can be disabled via a configuration option

Compatibility, Deprecation, and Migration Plan

No response

Test Plan

No response

Code of Conduct

I agree to follow this project's Code of Conduct

Wenjun Ruan · Answer 1 · Thu May 09 2024 00:09:41 GMT+0800 (China Standard Time)

+1, directly disable trace LGTM, we don't need to add a config to control this, are you willing to submit PR?