what do you mean by HTTP trace?
I mean "HTTP Track / Trace", these are the only details I have.
A customer of ours ran a Windows Server PCI compliance scan for an audit using a product called SecurityMetrics PCI Scan and these were the results:
Description: HTTP TRACE / TRACK Methods Allowed
Synopsis: Debugging functions are enabled on the remote web server.
Impact: The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods that are used to debug web server connections.
If there are separate instructions for disabling this in access logging / request dumping / something else do you have any instructions?
ah, now i manage to decrypt what you need
you will need to edit your application's web.xml file
to list only allowed http methods.
you probably need something likethis
<!-- no auth-constraint tag here -->
Thanks Tomaz, I'll see if that works
that looks fine if you want to have POST & GET only available for /restricted/* urls.
if you need it for whole application then than url-pattern should be /*
Hi Tomaz, sorry for the slow reply.
Can I just confirm that if the URL Pattern is changed to "/*" that this will disable HTTP track / trace?
Thank you very much.