id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
26146	CsrfViewMiddleware responds to any arbitrary HTTP method outside of 'GET', 'HEAD', 'OPTIONS', and 'TRACE'	Kyle Baker	nobody	"Not sure if this is desired behavior or not, but we had a security audit on our website. They found that when a TRACK request was made, they hit a django error page. TRACK seems to be an obscure variant of TRACE unique to some Microsoft systems. In our case, they were hitting a CSRF failure page. We don't want people to see anything about us using csrf tokens, or about the fact that we're using django (or anything else about our security measures or server environment), so we've just overridden our CSRF_FAILURE_VIEW to be a simple plain text 401 in our settings when DEBUG is False.

I can't help but wonder, though... Why does Django respond to this verb in the first place? It's a non-standard verb. TRACE is all that is needed to comply with HTTP standards. It really is more of a minor nuisance that it introduces a (tiny) security issue, with dubious gain. Most developers have never heard of TRACK and wouldn't know to do something about it.

Thoughts?"	Cleanup/optimization	closed	CSRF	1.8	Normal	wontfix	trace, track, csrf, error, page		Accepted	0	0	0	0	0	0