InformationThe HTTP TRACE verb provides debugging and diagnostics information for a given request.
Diagnostic information, such as that found in the response to a TRACE request, often contains sensitive information which may useful to an attacker. By preventing Tomcat from providing this information, the risk of leaking sensitive information to a potential attacker is reduced.
SolutionPerform the following to prevent Tomcat from accepting a TRACE request:
Set the allowTrace attribute for each Connector specified in $CATALINA_HOME/conf/server.xml to false.
<Connector ... allowTrace='false' />
Alternatively, ensure the allowTrace attribute is absent from each Connector specified in $CATALINA_HOME/conf/server.xml.
Add the following as a child of the web-app root element, if present, in each web applications web.xml:
Tomcat does not allow the TRACE HTTP verb by default. Tomcat will only allow TRACE if the allowTrace attribute is present and set to true.