How to disable HTTP TRACE/TRACK methods in APACHE

VAPT testing by the security experts group suggested disabling HTTP TRACE/TRACK methods. TRACE and TRACK are HTTP methods that are used to debug web server connections. An attacker can create a webpage using XMLHTTP, ActiveX, or XMLDOM to make a client issue a TRACE request and capture the client’s cookies. This effectively results in a Cross-Site Scripting attack which is explained here.

How to Identify TRACE methods in HTTP Headers

By default, the HTTP TRACE method is enabled in APACHE. You can test it out in multiple ways as below:

Using Telnet

$ telnet example.com 80

Once you connect, type  hello and hit the Enter key twice.

Using OpenSSL

$ openssl s_client -connect example.com:443

press enter

Using CURL

$ curl -v -X TRACE -k https://example.com 80

Sample output

If you receive HTTP/1.1 200 OK as shown below, then it means HTTP TRACE is enabled.

HTTP/1.1 200 OK
Date: Fri, 26 Nov 2021 06:05:20 GMT
Server: Apache
Content-Length: 226
Connection: close
Content-Type: text/html; charset=iso-8859-1

How to disable HTTP TRACE/TRACK methods

There are two ways to disable HTTP TRACE/TRACK methods in Apache.

Option 1: Add rewrite rules in .htaccess

Traditionally you can achieve this using the rewrite rule added to your .htaccess file. You need to have mod_rewrite enabled on the server.

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)
RewriteRule .* - [F]

Option 2: Using Apache variable TraceEnable

Apache versions newer than 1.3.34 and 2.0.55 (or newer) can use the variable TraceEnable to enable or disable. By default, it is enabled. TraceEnable Off causes Apache to return a 403 FORBIDDEN error to the client.

Add the below line in the /etc/httpd/conf/httpd.conf file.

TraceEnable Off

Restart Apache

Before restarting, verify the configuration file as below:

# apachectl configtest
Syntax OK

If the syntax is OK, restart the Apache server to take the new changes.

# systemctl restart httpd       ## Redhat systems

# systemctl restart apache2     ## Debian systems

Now your HTTP header should report as below:

HTTP/1.1 400 Bad Request
or
HTTP/1.1 405 Method Not Allowed
Updated on November 26, 2021

Was this article helpful?

Related Articles

Leave a Comment