The HTTP TRACE verb provides debugging and diagnostics information for a given request. Rationale: Diagnostic information, such as that found in the response to a TRACE request, often contains sensitive information which may useful to an attacker. By preventing Tomcat from providing this information, the risk of leaking sensitive information to a potential attacker is reduced.
Solution
Perform the following to prevent Tomcat from accepting a TRACE request: Set the allowTrace attribute for each Connector specified in $CATALINA_HOME/conf/server.xml to false. <Connector ... allowTrace='false' /> Alternatively, ensure the allowTrace attribute is absent from each Connector specified in $CATALINA_HOME/conf/server.xml. Add the following as a child of the web-app root element, if present, in each web applications web.xml: <security-constraint> <web-resource-collection> <web-resource-name>restricted methods</web-resource-name> ... <http-method>TRACE</http-method> ... </web-resource-collection> ... </security-constraint> Default Value: Tomcat does not allow the TRACE HTTP verb by default. Tomcat will only allow TRACE if the allowTrace attribute is present and set to true.