All guides
High GDPR Art. 32 ISO 27001 A.8.8 CIS Controls CIS 7

Patch known CVEs and disable risky HTTP methods

Running software with published CVEs, or leaving methods like TRACE enabled, gives attackers a ready-made exploit.

Why it matters

Most breaches use known, already-patched vulnerabilities. If a scan can match your disclosed versions to a CVE, so can an attacker with an off-the-shelf exploit. Risky HTTP methods add needless surface.

How to fix it

Keep OS, runtime and dependencies patched on a schedule, subscribe to advisories for your stack, and disable HTTP methods you do not use (TRACE, and PUT/DELETE where not needed).

# Disable TRACE (Apache)
TraceEnable off

# Only allow needed methods (nginx)
if ($request_method !~ ^(GET|POST|HEAD)$) { return 405; }

Is your domain affected?

Prove ownership and run a scan for a graded, verifiable report.

Related guides

Compliance references are indicative mapping, not legal advice. Automated scanning is evidence and monitoring, not a guarantee of compliance.