knownMethodValidator

Version

Accepts only the request methods Membrane knows: GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS, CONNECT, TRACE. Every other method, e.g. the WebDAV verb PROPFIND or a made-up FOOBAR, is answered with 501 Not Implemented. See examples/configuration for a runnable config.

Example Configuration

components:
methodValidator:
knownMethodValidator:
allowTrace: false
maxLength: 16
components:
   methodValidator:
     knownMethodValidator:
       allowTrace: false
       maxLength: 16

Syntax

knownMethodValidator:
allowTrace: <boolean>
maxLength: <number>
knownMethodValidator:
  allowTrace: <boolean>
  maxLength: <number>

Attributes

NameRequiredDefaultDescriptionExamples
allowTracefalsefalseWhether to allow the TRACE HTTP method. TRACE echoes the request back in the response body and is a classic vector for cross-site tracing attacks, so it is rejected unless explicitly allowed.true
maxLengthfalse20Maximum length of an accepted method. Methods longer than this are rejected.16

Can be used in