How to disable HTTP TRACE method on OA-managed hosts?

Modified on: Thu, 23 Jan, 2020 at 2:22 AM

Operations Automation

Question

We noticed that servers in our environment accept HTTP TRACE method. The HTTP TRACE method is used for debugging purposes and can provide insight into the working of the web server and associated web application. Furthermore, the TRACE method may be used in cross-site tracing (XST) attacks to retrieve the content of cookies that have ‘HttpOnly’ flag set.

Answer

We recommend only enabling the HTTP methods which are in use by applications. In a typical application only the GET, HEAD and POST methods are used. Please do the following steps to disable TRACE method:

on Legacy shared Hosting servers based on CentOS 5/6:
1. add the option TraceEnable off to the config file /usr/local/pem/etc/apache/httpd.conf_pem
2. restart httpd:
```
service pemhttpd restart
```
on common apache servers and NG web servers:
1. add the option TraceEnable off to main httpd config file (/etc/httpd/conf/httpd.conf)
2. restart httpd:
```
service httpd restart
```

NOTE: please refer to the article https://kb.cloudblue.com/en/127829 if you need to disable HTTP OPTIONS method on NG web servers.

Internal content

Did you find it helpful? Yes No