[DSIP-37] Disable HTTP TRACE requests in jetty via configuration
jfifth opened this issue · comments
Baoquan Zhang commented
Search before asking
- I had searched in the DSIP and found no similar DSIP.
Motivation
DS was scanned for TRACE vulnerability。An attacker exploiting a TRACE request, in combination with other browser-side vulnerabilities, could potentially conduct a cross-site scripting attack to obtain sensitive information, such as authentication information in a cookie, which would be used in other types of attacks.
Design Detail
jetty TRACE requests can be disabled via a configuration option
Compatibility, Deprecation, and Migration Plan
No response
Test Plan
No response
Code of Conduct
- I agree to follow this project's Code of Conduct
Wenjun Ruan commented
+1, directly disable trace LGTM, we don't need to add a config to control this, are you willing to submit PR?