2.6 Turn off TRACE (check server.xml)

Information

Diagnostic information, such as that found in the response to a TRACE request, often contains sensitive information that may useful to an attacker. By preventing Tomcat from providing this information, the risk of leaking sensitive information to a potential attacker is reduced.

Solution

Perform the following to prevent Tomcat from accepting a TRACE request:
1. Set the allowTrace attributes to each Connector specified in $CATALINA_HOME/conf/server.xml to false.
<Connector ... allowTrace="false" />
Alternatively, ensure the allowTrace attribute for each Connector specified in $CATALINA_HOME/conf/server.xml is absent.

See Also

https://workbench.cisecurity.org/files/266

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-11

Plugin: Unix

Control ID: 40e8eb528d1f46b9f47b6b6d586018d536c50449de0aa76ee42e3ea74ccb97a5