Block TRACE HTTP Verb by default

Description

Undertow responds to TRACE verbs by default for static files which can be exploited. Configure undertow to not respond to TRACE.

Here's info on the exploit https://www.owasp.org/index.php/Cross_Site_Tracing

Here's a sample rewrite rule snippet used to block TRACE in the meantime:

Assignee

Unassigned

Reporter

Brad Wood

Labels

None

Affects versions

None

Fix versions

None

Components

Configure