Tech Tip: Web Security Issue addressed in 4D v15 R2
PRODUCT: 4D | VERSION: 15 R2 | PLATFORM: Mac & Win
Published On: October 13, 2015
The web security issue of HTTP TRACE which has been enabled in prior verisons prior to 4D v15 R2 and could not be disabled.
"TRACE" is an HTTP request method used for debugging which echo's input back to the user. When it is left enabled it is considered a security risk allowing an attacker to steal information including Cookies, and possibly website credentials.
To increase security, the HTTP TRACE method is disabled by default in the 4D v15R2 Web Server. When an HTTP TRACE request is received, the 4D Web Server now returns a 405 error ("method not allowed").
In v15 R2 and later it can be turned on and off using WEB GET OPTION and WEB SET OPTION using the constant Web HTTP TRACE.