From e1b2f6ae1370111ca273e77c1fc7c5df3b11a2ec Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Wed, 16 Nov 2022 23:27:45 +0100
Subject: Apache TraceEnable Off (#4863)

I have just received an e-mail with a security concern.
Although most likely an obsolete concern (old browsers with Java applets), and the Apache team saying that there is no problem, let's disable the TRACE method by default in our Docker images until we hear anybody actually wanting this feature.
https://httpd.apache.org/docs/current/mod/core.html#traceenable
https://owasp.org/www-community/attacks/Cross_Site_Tracing
---
 Docker/FreshRSS.Apache.conf | 1 +
 1 file changed, 1 insertion(+)

(limited to 'Docker')

diff --git a/Docker/FreshRSS.Apache.conf b/Docker/FreshRSS.Apache.conf
index c7a0080ac..2cfb9cbf9 100644
--- a/Docker/FreshRSS.Apache.conf
+++ b/Docker/FreshRSS.Apache.conf
@@ -8,6 +8,7 @@ CustomLog /dev/stdout combined_proxy
 ErrorLog /dev/stderr
 AllowEncodedSlashes On
 ServerTokens OS
+TraceEnable Off
 
 <Directory />
 	AllowOverride None
-- 
cgit v1.2.3