Disable Trace HTTP Request in Apache

Objective

By default, the HTTP TRACE request method is enabled in Apache web server.

Having this enabled can allow Cross Site Tracing attack and potentially give an option to a hacker to steal cookie information.

Solution

Disable the HTTP TRACE request method.

Edit your Apache configuration file/etc/apache2/httpd.conf and add the following:

# Disable the HTTP TRACE request method
TraceEnable off

Reload Apache

[root@nowherelan]# systemctl reload httpd.service

Use the online Request Method Security Scanner to remotely check your site for which HTTP request methods are allowed. It should list the TRACE method as “Method Not Allowed (405).”

My System Configuration

CentOS 7
Apache 2.4

References

https://geekflare.com/apache-web-server-hardening-security/
https://www.askapache.com/online-tools/request-method-scanner/

S	M	T	W	T	F	S
						1
2	3	4	5	6	7	8
9	10	11	12	13	14	15
16	17	18	19	20	21	22
23	24	25	26	27	28	29
30	31

nowhereLAN

Disable Trace HTTP Request in Apache

Objective

Solution

My System Configuration

References

Leave a Reply Cancel reply

David Lehman's System Administration Blog

Objective

Solution

My System Configuration

References

Share this:

Leave a Reply Cancel reply

David Lehman's System Administration Blog