Usando nc o curl ottengo il codice di stato HTTP 405 per le richieste TRACE, ma se eseguo la scansione del mio sito con NMAP, sembra che TRACE sia abilitato. Qualcuno potrebbe spiegarmi se TRACE è correttamente disabilitato o no?
NC
nc hd1.aon.it 443 TRACE /js/jquery.cookie.js?param=1 HTTP/1.1 Host: hd1.aon.it X-Wind: custom HTTP/1.1 405 Method Not Allowed Content-Length: 83 Content-Type: text/html Date: Thu, 12 Jan 2017 12:59:04 GMT Via: HTTP/1.1 sophos.http.proxy:3128 Connection: keep-alive Error405 - Method Not Allowed
NMAP
nmap -p 443 --script http-methods hd1.aon.it Starting Nmap 6.46 ( http://nmap.org ) at 2017-01-12 13:41 CET Nmap scan report for hd1.aon.it (93.63.129.73) Host is up (0.00026s latency). rDNS record for 93.63.129.73: 93-63-129-73.ip27.fastwebnet.it PORT STATE SERVICE 443/tcp open https | http-methods: GET HEAD POST TRACE OPTIONS | Potentially risky methods: TRACE |_See http://nmap.org/nsedoc/scripts/http-methods.html Nmap done: 1 IP address (1 host up) scanned in 2.19 seconds