5.8 Ensure the HTTP TRACE Method Is Disabled

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Use the Apache TraceEnable directive to disable the HTTP TRACE request method.

Rationale:

The HTTP 1.1 protocol requires support for the TRACE request method which reflects the request back as a response and was intended for diagnostics purposes. The TRACE method is not needed and is easily subjected to abuse and should be disabled.

Solution

Perform the following to implement the recommended state:

Locate the main Apache configuration file such as httpd.conf.

Add a TraceEnable directive to the server level configuration with a value of off. Server level configuration is the top-level configuration, not nested within any other directives like <Directory> or <Location>.

Default Value:

The TRACE method is enabled.

See Also

https://workbench.cisecurity.org/files/3021