I have this VAPT comment to be resolved.
I need to disable trace option from APIs.
http methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
Tried to disable from appSettings.json changing the log level information like this:
"Logging": {
"LogLevel": {
"Default": "Trace",
"Microsoft.AspNetCore.Hosting.Internal.WebHost": "None",
"Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker": "None",
}
}
Added below code in startup file of .NET core, it solved the issue
app.Use(async (context, next) =>
{
if (string.Equals(context.Request.Method, "TRACE", StringComparison.OrdinalIgnoreCase))
{
context.Response.StatusCode = StatusCodes.Status405MethodNotAllowed;
}
else
{
await next();
}
});