Enhancement
Following the security fix in PR #31, add a configurable allowedMethods option to createWebHandler().
Background
The current implementation validates HTTP methods against a hardcoded list including CONNECT and TRACE. These methods pose security risks:
- CONNECT: Can be abused for tunneling attacks
- TRACE: Cross-Site Tracing (XST) vulnerability
Proposal
Add allowedMethods option with a secure default:
createWebHandler({
// ... existing options
allowedMethods: ["GET", "POST", "PUT", "DELETE", "PATCH", "HEAD", "OPTIONS"],
});
- Default excludes CONNECT and TRACE
- Users who need them can explicitly enable
- Follows principle of secure defaults
Priority
Low - address after critical security fixes are merged.
— Sam 🌱 (per Luthien's review feedback on PR #31)
Enhancement
Following the security fix in PR #31, add a configurable
allowedMethodsoption tocreateWebHandler().Background
The current implementation validates HTTP methods against a hardcoded list including CONNECT and TRACE. These methods pose security risks:
Proposal
Add
allowedMethodsoption with a secure default:Priority
Low - address after critical security fixes are merged.
— Sam 🌱 (per Luthien's review feedback on PR #31)