The TRACE capability could be used by vulnerable or malicious applications to trick a web browser into issuing a TRACE request
against an arbitrary site and then send the response to the TRACE to a third party using web browser features.
<httpHandlers>
<add path="*" verb="TRACE" type="System.Web.DefaultHttpHandler" validate="true"/>
</httpHandlers>
<authorization>
<deny verbs="TRACE" users="*" />
</authorization>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
<!-- Flags example: [F] = forbidden, [R] = redirect -->
<!-- Must enable per VirtualHost: RewriteEngine On -->
TraceEnable off
<!-- Location: webapps/theAPP/WEB-INF/web.xml -->
<security-constraint>
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>
Content Sniffing
Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...
Content Sniffing
Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...
Content Sniffing
Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...
Content Sniffing
Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...
