HI,
I'm using spring boot 2.7.x and 3.1.x on an enterprise project. During Security Test phase, in particular in DAST Phase (Dynamic Application Security Testing) they detected a Vulnerability on the Web Servers (Undertow in my case), described on this site: https://owasp.org/www-community/attacks/ Cross_Site_Tracing. Searching the documentation I didn't find any method to disable the specific http methods with only application configurations (application.properties/application.yaml), but only programmatically. Is there any way to do this? If not, could it be an additional feature?
Comment From: bclozel
I think this feature (and many others related to security) are covered by Spring Security's HttpFirewall. I don't think Spring Boot should implement this itself and there are far too many options to cover them with application properties.
I'm declining this issue as a result.