Disable TRACE/TRACK to Metabase Jetty Server

gferrette · June 1, 2021, 1:28pm

Hello!

Please, is it possible to disable TRACE and TRACK directives to Metabase Jetty server?
For example:
curl -v -X TRACK http://metabaseserver:3000
curl -v -X TRACE http://metabaseserver:3000

Thanks in advance!

Gabriel.

flamber · June 1, 2021, 5:59pm

Hi @gferrette
Metabase does not return anything through those methods. But you can use a reverse-proxy to block methods - otherwise you would have to build your own version - see this file for places to change Jetty:
https://github.com/metabase/metabase/blob/master/src/metabase/server.clj
Can you explain why you need it disabled?

gferrette · June 1, 2021, 7:50pm

Hello @flamber!

Thanks for quick replying, we are going to block it via apache reverse proxy. We need it disabled for security complience reasons.

Thanks again!

Gabriel.

flamber · June 1, 2021, 8:25pm

Hi @gferrette
I have created an issue for this, since it seems unneeded that those methods are available:
https://github.com/metabase/metabase/issues/16311 - upvote by clicking on the first post

gferrette · June 1, 2021, 8:30pm

Hello @flamber!

Thanks again! I've just upvoted!

Gabriel.