How to: Disable the HTTP TRACE Method

Most vulnerability scanners will complain about TRACE method being enabled on the web server tested.

Normally you will have this enabled by default, but if you want to test if it is really enabled on your server you just have to telnet on the port your web server is running and request for “TRACE / HTTP/1.0” if you get a positive reply it means TRACE is enabled on your system. The output of a server with TRACE enabled will look like:

[root@nixguru ~]# telnet 127.0.0.1 80 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. TRACE / HTTP/1.0 Host: nixguru Any text entered here will  be echoed back in the response <- ENTER twice to finish HTTP/1.1 200 OK Date: Tue, 15 Aug 2017 10:24:52 GMT Server: Apache/2.4.6 (CentOS) PHP/5.6.31 Connection: close Content-Type: text/html; charset=iso-8859-1 TRACE / HTTP/1.0 Host: nixguru Any text entered here will  be echoed back in the response Connection closed by foreign host.

Method: 1

Add the below lines somewhere in main apache configuration file outside of any virtual host or directory configuration.

RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F]

Method: 2

In apache 2.0.55 or newer we can do very easily because there is a new apache variable that controls if TRACE method is enabled or not. This need to be added in the main apache configuration file and the default is enabled. 

TraceEnable off

Once the above settings are done need to reload apache service and verify the same as below:

[root@nixguru ~]# telnet 127.0.0.1 80 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. TRACE / HTTP/1.0 Host: nixguru Testing.....  <- ENTER twice HTTP/1.1 403 Forbidden Date: Tue, 15 Aug 2017 10:24:56 GMT Server: Apache/2.4.6 (CentOS) PHP/5.6.31 Content-Length: 226 Connection: close Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access / On this server.</p> <hr> <address> Server: Apache/2.4.6 (CentOS) PHP/5.6.31  Server at nixguru Port 80</address> </body></html> Connection closed by foreign host.