From 2eb3e3f994e464ae2678f7c3d321213e5eec9ad4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lo=C3=AFc=20Hoguin?= <essen@ninenines.eu>
Date: Wed, 6 Dec 2017 10:54:23 +0100
Subject: Also disable the TRACE method entirely

---
 src/cowboy_http.erl | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'src/cowboy_http.erl')

diff --git a/src/cowboy_http.erl b/src/cowboy_http.erl
index eca0099..71b7099 100644
--- a/src/cowboy_http.erl
+++ b/src/cowboy_http.erl
@@ -350,6 +350,9 @@ parse_request(Buffer, State=#state{opts=Opts, in_streamid=InStreamID}, EmptyLine
 				<<"CONNECT ", _/bits>> ->
 					error_terminate(501, State, {connection_error, no_error,
 						'The CONNECT method is currently not implemented. (RFC7231 4.3.6)'});
+				<<"TRACE ", _/bits>> ->
+					error_terminate(501, State, {connection_error, no_error,
+						'The TRACE method is currently not implemented. (RFC7231 4.3.8)'});
 				%% Accept direct HTTP/2 only at the beginning of the connection.
 				<< "PRI * HTTP/2.0\r\n", _/bits >> when InStreamID =:= 1 ->
 					%% @todo Might be worth throwing to get a clean stacktrace.
-- 
cgit v1.2.3