From: Jim Jagielski <jim@apache.org>
Date: Tue, 20 Mar 2012 12:08:25 +0000 (+0000)
Subject: Note that TRACE is not a vuln
X-Git-Tag: 2.5.0-alpha~7333
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=7cd6f8086c9c3d8e20b3cc2301c927e8216d7d49;p=apache

Note that TRACE is not a vuln


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1302855 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/docs/manual/mod/core.xml b/docs/manual/mod/core.xml
index f8147140cf..852e62174a 100644
--- a/docs/manual/mod/core.xml
+++ b/docs/manual/mod/core.xml
@@ -4201,6 +4201,13 @@ certain events before failing a request</description>
     <code>Transfer-Encoding: chunked</code> is used).  The core will
     reflect the full headers and all chunk headers with the response
     body.  As a proxy server, the request body is not restricted to 64k.</p>
+
+    <note><title>Note</title>
+    <p>Despite claims to the contrary, <code>TRACE</code> is not
+    a security vulnerability and there is no viable reason for
+    it to be disabled. Doing so necessarily makes your server
+    non-compliant.</p>
+    </note>
 </usage>
 </directivesynopsis>