Search Engine: Elastic

Article ID: 128620, created on Apr 5, 2016, last review on Jul 14, 2018

  • Applies to:
  • Operations Automation


We noticed that servers in our environment accept HTTP TRACE method. The HTTP TRACE method is used for debugging purposes and can provide insight into the working of the web server and associated web application. Furthermore, the TRACE method may be used in cross-site tracing (XST) attacks to retrieve the content of cookies that have ‘HttpOnly’ flag set.


We recommend only enabling the HTTP methods which are in use by applications. In a typical application only the GET, HEAD and POST methods are used. Please do the following steps to disable TRACE method:

  • on Legacy shared Hosting servers based on CentOS 5/6:

    1. add the option TraceEnable off to the config file /usr/local/pem/etc/apache/httpd.conf_pem
    2. restart httpd:

      service pemhttpd restart
  • on common apache servers and NG web servers:

    1. add the option TraceEnable off to main httpd config file (/etc/httpd/conf/httpd.conf)
    2. restart httpd:

      service httpd restart

NOTE: please refer to the article if you need to disable HTTP OPTIONS method on NG web servers.

5356b422f65bdad1c3e9edca5d74a1ae caea8340e2d186a540518d08602aa065 e12cea1d47a3125d335d68e6d4e15e07

Email subscription for changes to this article
Save as PDF