Find file Copy path
011149a Jun 17, 2017
0 contributors

Users who have contributed to this file

107 lines (62 sloc) 3.15 KB

Apache: Disable the HTTP TRACE Method


'TRACE' is a HTTP request method used for debugging which echo's back input back to the user. Jeremiah Grossman from Whitehatsec posted a paper outlining a risk allowing an attacker to steal information including Cookies, and possibly website credentials. suggests the following solution to disable the HTTP TRACE method by using mod_rewrite.

"TRACE requests can be disabled by making a change to the Apache server configuration. Unfortunately it is not possible to do this using the Limit directive since the processing for the TRACE request skips this authorisation checking. Instead the following lines can be added which make use of the mod_rewrite module.

RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F]" -

Additional information can be found at the links below.


By default, Apache2 supports the HTTP TRACE method, which could expose your server to certain Cross-Site Scripting attacks.1 In this tutorial, I will show you how to check for TRACE support on your Apache2 server using curl, and then switch it off if it is enabled.

Testing for TRACE support with curl

  • To see if TRACE is supported by your server, you can use curl
$ curl -i -X TRACE
HTTP/1.1 200 OK
Date: Wed, 13 Feb 2013 14:22:56 GMT
Server: Apache/2.2.15 (CentOS)
Transfer-Encoding: chunked
Content-Type: message/http
User-Agent: curl/7.21.7 (x86_64-redhat-linux-gnu) libcurl/7.21.7 NSS/ zlib/1.2.5 libidn/1.22 libssh2/1.2.7
Accept: */*

As you can see, I am getting a response from the server for the TRACE request. Now let us disable it.

Disabling TRACE support in Apache2

To switch off TRACE support, you need to open your main Apache2 configuration file which is here on my CentOS box:

- /etc/httpd/conf/httpd.conf
- /etc/apache2/httpd.conf
- It depends what operating system of Linux you use

Now add this directive to that file (You can added it to the bottom of the file)

TraceEnable off

restart Apache2:

$ service httpd restart

Now when you run the same curl command again from your client machine, this will the response which you see:

$ curl -i -X TRACE
HTTP/1.1 405 Method Not Allowed
Date: Wed, 13 Feb 2013 14:30:32 GMT
Server: Apache/2.2.15 (CentOS)
Content-Length: 223
Content-Type: text/html; charset=iso-8859-1
<title>405 Method Not Allowed</title>
<h1>Method Not Allowed</h1>
<p>The requested method TRACE is not allowed for the URL /.</p>

Have fun with nu11secur1ty =)