**PUT/DELETE**: If enabled without authentication, attackers may be able to upload arbitrary files or delete existing resources. PUT in particular can enable web shell uploads. - **TRACE**: Enables Cross-Site Tracing (XST) attacks, which can be used to steal cookies marked with the `HttpOnly` flag b