Block TRACE HTTP Verb by default

Description

Undertow responds to TRACE verbs by default for static files which can be exploited. Configure undertow to not respond to TRACE.

Here's info on the exploit https://www.owasp.org/index.php/Cross_Site_Tracing

Here's a sample rewrite rule snippet used to block TRACE in the meantime:

Assignee

Brad Wood

Reporter

Brad Wood

Labels

None

Affects versions

None

Fix versions

Priority

Major

Components

Configure