4 Replies Latest reply on Nov 30, 2018 11:34 AM by sjeaves2

    How do I prevent access to WEB-INF via HTTP GET in WildFly 10?


      I'm tasked to close some security holes in our web-based application (powered by Java servlets). Using an in-house tool that allows us to submit "raw" HTTP requests (like you can with Telnet), we've discovered that, while POST requests forbid access, GET requests honor a request with a relative pathname like so:


      From what I've read, access to the WEB-INF directory is restricted, but as I've said, when I do a GET on WildFly 10 (standalone) with a "raw" HTTP request tool, the request is honored.