HTTP methods beyond GET and POST — PUT, DELETE, TRACE, and others — are often left enabled on a server by default even when your application never actually uses them, giving an attacker extra ways to probe or manipulate your site that you never intended to expose.
Most sites only need GET and POST. Leaving TRACE, PUT, or DELETE enabled expands your attack surface for no functional benefit — TRACE specifically enables Cross-Site Tracing, a real cookie-theft technique.
Your server only accepts the HTTP methods your application actually uses.
Fix it, then re-scan — the check confirms itself. No manual checkbox, the scan is the truth.
Run this check in H.I.V.E. →