High
GDPR Art. 32
ISO 27001 A.8.8
CIS Controls CIS 7
Patch known CVEs and disable risky HTTP methods
Running software with published CVEs, or leaving methods like TRACE enabled, gives attackers a ready-made exploit.
Why it matters
Most breaches use known, already-patched vulnerabilities. If a scan can match your disclosed versions to a CVE, so can an attacker with an off-the-shelf exploit. Risky HTTP methods add needless surface.
How to fix it
Keep OS, runtime and dependencies patched on a schedule, subscribe to advisories for your stack, and disable HTTP methods you do not use (TRACE, and PUT/DELETE where not needed).
# Disable TRACE (Apache)
TraceEnable off
# Only allow needed methods (nginx)
if ($request_method !~ ^(GET|POST|HEAD)$) { return 405; }
Is your domain affected?
Prove ownership and run a scan for a graded, verifiable report.
Related guides
- Set up SPF, DKIM and DMARC to stop email spoofing
- Add the HTTP security headers every site should send
- Fix TLS: valid certificate and modern protocols only
- Remove exposed .git, .env and backup files
Compliance references are indicative mapping, not legal advice. Automated scanning is evidence and monitoring, not a guarantee of compliance.