By default, Apache2 supports the HTTP TRACE method, which could expose your server to certain Cross-Site Scripting attacks.1 In this tutorial, I will show you how to check for TRACE support on your Apache2 server using curl, and then switch it off if it is enabled.
To see if TRACE is supported by your server, you can use curl
$ curl -i -X TRACE http://www.site.com/ HTTP/1.1 200 OK Date: Wed, 13 Feb 2013 14:22:56 GMT Server: Apache/2.2.15 (CentOS) Transfer-Encoding: chunked Content-Type: message/http TRACE / HTTP/1.1 User-Agent: curl/7.21.7 (x86_64-redhat-linux-gnu) libcurl/7.21.7 NSS/184.108.40.206 zlib/1.2.5 libidn/1.22 libssh2/1.2.7 Host: www.alphadevx.com Accept: */*
As you can see, I am getting a response from the server for the TRACE request. Now let us disable it.
To switch off TRACE support, you need to open your main Apache2 configuration file which is here on my CentOS box:
Now add this directive to that file (I added it to the bottom of the file):2
...and restart Apache2:
$ service httpd restart
Now when I run the same curl command again from my client machine, this is the response I get:
$ curl -i -X TRACE http://www.site.com/ HTTP/1.1 405 Method Not Allowed Date: Wed, 13 Feb 2013 14:30:32 GMT Server: Apache/2.2.15 (CentOS) Allow: Content-Length: 223 Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>405 Method Not Allowed</title> </head><body> <h1>Method Not Allowed</h1> <p>The requested method TRACE is not allowed for the URL /.</p> </body></html>
Updated 2023 : note that the above post was originally published in 2013, but is left here for archival purposes.