200 response should be defined for TRACE operations

Description

TRACE operations in your API must have the 200 response defined.

For more details, see RFC 7231.

Possible exploit scenario

Attackers strive to make your APIs behave in an unexpected way to learn more about your system or to cause a data breach. We highly recommend that you minimize any risks and clearly specify the data that your API operations can return for each possible response code.

In TRACE operations, the messages are reflected back to the client. If you do not carefully define the response for TRACE operations, the output might accidentally contain sensitive data that should have been excluded.

Remediation

Define 200 responses for all TRACE operations.


Copyright 42Crunch 2021