|
|
|
|
|
|
by hnbad
1012 days ago
|
|
|
You should disable it if you don't need it or at least move it behind authentication if you do need it. Security follows the Swiss cheese model: each individual measure has known limitations but by layering them, you reduce the overall number of attack vectors. Getting the server to make arbitrary HTTP requests is bad, yes, but limiting what the attacker can do with that makes it less dangerous if you somehow screw that one thing up. |
|
|