My issue is that even though TRACE is disabled, we see the "malicious"
header in the response.
On Wed, 8 Sept 2021 at 17:01, Mark Thomas wrote:
>
> On 08/09/2021 14:14, Gilles Robert wrote:
> > Hi,
> >
> > Using Spring boot (2.5.4) with Tomcat (9.0.52), the HT
Hi,
Using Spring boot (2.5.4) with Tomcat (9.0.52), the HTTP TRACE method
is disabled by default and returns a 405 method not allowed, which is
what I expect security-wise. My issue is that if one gives a malicious
header:
header: malicious: alert('malicious call');
it's given back in the respon
