remove long-deprecated HTTP options (#1444)

* remove long-deprecated HTTP options

* re-trigger netlify

* formatting

---------

Co-authored-by: Paula <[email protected]>

Author: jsteemann

3.10/appendix-deprecated.md

@@ -171,8 +171,10 @@ detailed information about breaking changes before upgrading.
     `x-http-method-override`. This was originally intended for very restricted
     callers, which only supported HTTP GET and HTTP POST, but seems very
     unnecessary nowadays.
+    The functionality will be removed in ArangoDB 3.12.
   - `--http.hide-product-header`: whether or not to hide the `Server: ArangoDB`
     header in all responses served by arangod.
+    The functionality will be removed in ArangoDB 3.12.
   - `--network.protocol`: network protocol to use for cluster-internal 
     communication. The protocol will be auto-decided from version 3.9 onwards.
   - `--query.allow-collections-in-expressions`: allow full collections to be 

3.11/appendix-deprecated.md

@@ -186,9 +186,11 @@ detailed information about breaking changes before upgrading.
     special HTTP headers `x-http-method`, `x-method-override` or 
     `x-http-method-override`. This was originally intended for very restricted
     callers, which only supported HTTP GET and HTTP POST, but seems very
-    unnecessary nowadays.
+    unnecessary nowadays. 
+    The functionality will be removed in ArangoDB 3.12.
   - `--http.hide-product-header`: whether or not to hide the `Server: ArangoDB`
     header in all responses served by arangod.
+    The functionality will be removed in ArangoDB 3.12.
   - `--network.protocol`: network protocol to use for cluster-internal 
     communication. The protocol will be auto-decided from version 3.9 onwards.
   - `--query.allow-collections-in-expressions`: allow full collections to be 

3.12/appendix-deprecated.md

@@ -185,14 +185,6 @@ detailed information about breaking changes before upgrading.
     - `--arangosearch.consolidation-threads-idle`
   - `--rocksdb.exclusive-writes` (was intended only as a stopgap measure to
     make porting applications from MMFiles to RocksDB easier)
-  - `--http.allow-method-override`: this option allows incoming HTTP POST 
-    request to override the actual HTTP method used by setting one of the
-    special HTTP headers `x-http-method`, `x-method-override` or 
-    `x-http-method-override`. This was originally intended for very restricted
-    callers, which only supported HTTP GET and HTTP POST, but seems very
-    unnecessary nowadays.
-  - `--http.hide-product-header`: whether or not to hide the `Server: ArangoDB`
-    header in all responses served by arangod.
   - `--network.protocol`: network protocol to use for cluster-internal 
     communication. The protocol will be auto-decided from version 3.9 onwards.
   - `--query.allow-collections-in-expressions`: allow full collections to be 

3.12/http/general.md

@@ -385,30 +385,6 @@ requests unless explicitly told to do so:
   });
   ```
 
-## HTTP method overriding
-
-{% hint 'warning' %}
-HTTP method overriding is deprecated from version 3.9.0 on and should no longer
-be used.
-{% endhint %}
-
-ArangoDB provides a startup option *--http.allow-method-override*.
-This option can be set to allow overriding the HTTP request method (e.g. GET, POST,
-PUT, DELETE, PATCH) of a request using one of the following custom HTTP headers:
-
-- `x-http-method-override`
-- `x-http-method`
-- `x-method-override`
-
-This allows using HTTP clients that do not support all "common" HTTP methods such as
-PUT, PATCH and DELETE. It also allows bypassing proxies and tools that would otherwise
-just let certain types of requests (e.g. GET and POST) pass through.
-
-Enabling this option may impose a security risk, so it should only be used in very
-controlled environments. Thus the default value for this option is *false* (no method
-overriding allowed). You need to enable it explicitly if you want to use this
-feature.
-
 ## Load-balancer support
 
 When running in cluster mode, ArangoDB exposes some APIs which store request

3.12/release-notes-upgrading-changes312.md

@@ -53,6 +53,28 @@ larger amounts of data and was thus very limited.
 Users of the `/_api/traversal` REST API should use
 [AQL traversal queries](aql/graphs-traversals.html) instead.
 
+### HTTP server behavior
+
+The following long-deprecated features have been removed from ArangoDB's HTTP
+server:
+
+- overriding the HTTP method by setting one of the HTTP headers:
+  - `x-http-method`
+  - `x-http-method-override`
+  - `x-method-override`
+ 
+   This functionaltiy posed a potential security risk and was thus removed.
+   Previously, it was only enabled when explicitly starting the 
+   server with the `--http.allow-method-override` startup option.
+   The functionality has now been removed and setting the startup option does
+   nothing.
+
+- optionally hiding ArangoDB's `server` response header. This functionality
+  could optionally be enabled by starting the server with the startup option
+  `--http.hide-product-header`.
+  The functionality has now been removed and setting the startup option does
+  nothing.
+
 ## JavaScript API
 
 ### `@arangodb/graph/traversal` module

3.9/appendix-deprecated.md

@@ -157,8 +157,10 @@ replace the old features with:
     `x-http-method-override`. This was originally intended for very restricted
     callers, which only supported HTTP GET and HTTP POST, but seems very
     unnecessary nowadways.
+    The functionality will be removed in ArangoDB 3.12.
   - `--http.hide-product-header`: whether or not to hide the `Server: ArangoDB`
     header in all responses served by arangod.
+    The functionality will be removed in ArangoDB 3.12.
   - `--network.protocol`: network protocol to use for cluster-internal 
     communication. The protocol will be auto-decided from version 3.9 onwards.
   - `--query.allow-collections-in-expressions`: allow full collections to be