Insecure methods reported for DLP Enforce Server console

search cancel

Insecure methods reported for DLP Enforce Server console

book

Article ID: 282275

calendar_today

Updated On:

Products

Data Loss Prevention Data Loss Prevention API Detection for Developer Apps Virtual Appliance Data Loss Prevention Core Package Data Loss Prevention Enforce Data Loss Prevention Enterprise Suite Data Loss Prevention Plus Suite

Issue/Introduction

Your vulnerability scan reports that the DLP Enforce Server web console has the following options enabled:

Insecure HTTP method - DELETE
Insecure HTTP method - PATCH
Insecure HTTP method - PUT
Insecure HTTP method - TRACE

Environment

All supported versions of the DLP Enforce Server

Resolution

The DLP engineering team has investigated this finding.

With the DLP Enforce UI functionality being offered through REST APIs', different pages support different sets of HTTP methods:

Functionality that can be accessed via REST API will support HEAD, DELETE, POST, GET, OPTIONS, PUT
Functionality that cannot be accessed via REST API will support HEAD, POST, GET, OPTIONS
Dangerous methods continue to be unsupported where their functionality may pose additional risk the Enforce UI.

This guidance is applicable to all supported DLP versions as of today.

Please see attached screenshot for example of HTTP method support

Additional Information

Feedback

thumb_up Yes

thumb_down No