- 🇫🇷France prudloff Lille
Is this still relevant? The issue summary does not say why it is postponed.
I believe Drupal already returns a 405 error if a method is not supported by the route.
Hi,
To follow OWASP recommendations, the request methods should be selectively allowed, and everything else blocked by default.
It goes without saying that GET and POST are to be enabled by default. However, the other methods are not used by core, but they may be used by modules. I'd thus like to have a way to configure the list of enabled methods.
A module could, for example, define the list of methods it wants to enable in its configuration.
Since this is a major breaking change, I'm opening this issue against 9.x-dev.
Is this idea worth pursuing in Drupal? Is it better that I give up right away? Thanks for your feedback!
Postponed
11.0 🔥
other
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.
Issue summaries save everyone time if they are kept up-to-date. See Update issue summary task instructions.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
Is this still relevant? The issue summary does not say why it is postponed.
I believe Drupal already returns a 405 error if a method is not supported by the route.