As per RFC 9110 (and earlier) HTTP TRACE response MUST NOT include sensitive headers

jakartaee / servlet

Jakarta Servlet

https://eclipse.org/ee4j/servlet

Other

262 stars 83 forks source link

As per RFC 9110 (and earlier) HTTP TRACE response MUST NOT include sensitive headers #469

Closed markt-asf closed 1 year ago

markt-asf commented 2 years ago

https://www.rfc-editor.org/rfc/rfc9110.html#name-trace

The requirement was added in RFC 7231. It is not present in RFC 2616.

dsandrade0 commented 1 year ago

In this task, is only forward to response the request headers? This is a Good First Issue???

markt-asf commented 1 year ago

This task is to ensure that sensitive headers as defined in RFC 9110 are not included in the legacy TRACE response implemented in HttpServlet#doTrace(). Yes this is a suitable first issue. For bonus points, fix the separate problem that the current code doesn't handle headers that appear more than once.