Closed ophirzk closed 3 years ago
lukebakken
commented
3 years ago This came up on the mailing list relatively recently and @gmr was kind enough to do some analysis. Specifically, he pointed out how OPTIONS is used by CORS:
https://github.com/rabbitmq/rabbitmq-management/blob/master/src/rabbit_mgmt_cors.erl#L23
Given that code it is unlikely we will disable support for it, unless someone provides a pull request that takes it into account.
michaelklishin
commented
3 years ago We will not spend any time on it until a lot more demand (but not necessarily demanding language) emerges for this security through obscurity setting. This plugin will never support every HTTP server feature out there: it is not a general-purpose HTTP server. Combined with Cowboy settings, it already has too many options for most people to remember.
It's quite trivial to put Nginx, Apache or any other service in front of this HTTP API and configure virtually every imaginable HTTP-related feature.
Web servers that respond to the OPTIONS HTTP method expose what other methods are supported by the web server, allowing attackers to narrow and intensify their efforts.
HTTP OPTIONS method is allows enabled. We need to make it configurable.
Reference: https://www.rapid7.com/db/vulnerabilities/http-options-method-enabled