'TRACE' is a HTTP request method used for debugging which echo's back input back to the user. Jeremiah Grossman from Whitehatsec posted a paper outlining a risk allowing an attacker to steal information including Cookies, and possibly website credentials. http://www.apacheweek.com suggests the following solution to disable the HTTP TRACE method by using mod_rewrite.

"TRACE requests can be disabled by making a change to the Apache server configuration. Unfortunately it is not possible to do this using the Limit directive since the processing for the TRACE request skips this authorisation checking. Instead the following lines can be added which make use of the mod_rewrite module.

RewriteEngine On
RewriteRule .* - [F]" - www.apacheweek.com

Additional information can be found at the links below.

* http://www.apacheweek.com/issues/03-01-24#news
* w3 HTTP Protocol Specification


Feed You can follow this conversation by subscribing to the comment feed for this post.

Post a comment

Remember personal info?