rfc9110MethodValidator

Version

Accepts any method matching the RFC 9110 token grammar (the spec's definition of a valid method), up to maxLength characters. The most permissive of the built-in policies: it also accepts lowercase methods and punctuation tchars such as PROPFIND or my.method. Declare it explicitly to widen validation beyond the {@link DefaultMethodValidator built-in default}. See examples/configuration for a runnable config.

Example Configuration

components:
methodValidator:
rfc9110MethodValidator:
maxLength: 32
components:
   methodValidator:
     rfc9110MethodValidator:
       maxLength: 32

Syntax

rfc9110MethodValidator:
allowTrace: <boolean>
maxLength: <number>
rfc9110MethodValidator:
  allowTrace: <boolean>
  maxLength: <number>

Attributes

NameRequiredDefaultDescriptionExamples
allowTracefalsefalseWhether to allow the TRACE HTTP method. TRACE echoes the request back in the response body and is a classic vector for cross-site tracing attacks, so it is rejected unless explicitly allowed.true
maxLengthfalse20Maximum length of an accepted method. Methods longer than this are rejected.16

Can be used in