Skip to content

As per RFC 9110 (and earlier) HTTP TRACE response MUST NOT include sensitive headers #469

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
markt-asf opened this issue Aug 1, 2022 · 2 comments
Closed

As per RFC 9110 (and earlier) HTTP TRACE response MUST NOT include sensitive headers #469

markt-asf opened this issue Aug 1, 2022 · 2 comments

Comments

@markt-asf
Copy link
Contributor

https://www.rfc-editor.org/rfc/rfc9110.html#name-trace

The requirement was added in RFC 7231. It is not present in RFC 2616.
@markt-asf markt-asf changed the title AS per RFC 9110 (and earlier) HTTp TRACE response MUST not include sensitive headers As per RFC 9110 (and earlier) HTTP TRACE response MUST NOT include sensitive headers Aug 1, 2022
@dsandrade0
Copy link

In this task, is only forward to response the request headers? This is a Good First Issue???

@markt-asf
Copy link
Contributor Author

This task is to ensure that sensitive headers as defined in RFC 9110 are not included in the legacy TRACE response implemented in HttpServlet#doTrace().
Yes this is a suitable first issue.
For bonus points, fix the separate problem that the current code doesn't handle headers that appear more than once.

dsandrade0 pushed a commit to dsandrade0/servlet that referenced this issue Feb 24, 2023
Fix jakartaee#469 - Remove sensitive header on TRACE method
4904a24
markt-asf pushed a commit to markt-asf/servlet-api that referenced this issue Mar 22, 2023
@markt-asf
Fix jakartaee#469 - Remove sensitive header on TRACE method
d5960e0
markt-asf pushed a commit to markt-asf/servlet-api that referenced this issue Mar 22, 2023
@markt-asf
Fix jakartaee#469 - Remove sensitive header on TRACE method
f50cfa5
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dsandrade0 @markt-asf