Question
We noticed that servers in our environment accept HTTP TRACE method. The HTTP TRACE method is used for debugging purposes and can provide insight into the working of the web server and associated web application. Furthermore, the TRACE method may be used in cross-site tracing (XST) attacks to retrieve the content of cookies that have ‘HttpOnly’ flag set.
Answer
We recommend only enabling the HTTP methods which are in use by applications. In a typical application only the GET, HEAD and POST methods are used. Please do the following steps to disable TRACE method:
on Legacy shared Hosting servers based on CentOS 5/6:
- add the option
TraceEnable off
to the config file/usr/local/pem/etc/apache/httpd.conf_pem
restart httpd:
service pemhttpd restart
- add the option
on common apache servers and NG web servers:
- add the option
TraceEnable off
to main httpd config file (/etc/httpd/conf/httpd.conf
) restart httpd:
service httpd restart
- add the option
NOTE: please refer to the article https://kb.cloudblue.com/en/127829 if you need to disable HTTP OPTIONS method on NG web servers.