Disabling the TRACE method in Apache2

 
Published on 2013-02-13 by John Collins.

Introduction

By default, Apache2 supports the HTTP TRACE method, which could expose your server to certain Cross-Site Scripting attacks.1 In this tutorial, I will show you how to check for TRACE support on your Apache2 server using curl, and then switch it off if it is enabled.

Testing for TRACE support with curl

To see if TRACE is supported by your server, you can use curl

$ curl -i -X TRACE http://www.site.com/
HTTP/1.1 200 OK
Date: Wed, 13 Feb 2013 14:22:56 GMT
Server: Apache/2.2.15 (CentOS)
Transfer-Encoding: chunked
Content-Type: message/http
 
TRACE / HTTP/1.1
User-Agent: curl/7.21.7 (x86_64-redhat-linux-gnu) libcurl/7.21.7 NSS/3.13.3.0 zlib/1.2.5 libidn/1.22 libssh2/1.2.7
Host: www.alphadevx.com
Accept: */*

As you can see, I am getting a response from the server for the TRACE request. Now let us disable it.

Disabling TRACE support in Apache2

To switch off TRACE support, you need to open your main Apache2 configuration file which is here on my CentOS box:

nano /etc/httpd/conf/httpd.conf

Now add this directive to that file (I added it to the bottom of the file):2

TraceEnable off

...and restart Apache2:

$ service httpd restart

Now when I run the same curl command again from my client machine, this is the response I get:

$ curl -i -X TRACE http://www.site.com/
HTTP/1.1 405 Method Not Allowed
Date: Wed, 13 Feb 2013 14:30:32 GMT
Server: Apache/2.2.15 (CentOS)
Allow: 
Content-Length: 223
Content-Type: text/html; charset=iso-8859-1
 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>405 Method Not Allowed</title>
</head><body>
<h1>Method Not Allowed</h1>
<p>The requested method TRACE is not allowed for the URL /.</p>
</body></html>

References


Updated 2023 : note that the above post was originally published in 2013, but is left here for archival purposes.