how to disable http trace
DESCRIPTION
Http traceTRANSCRIPT
How to disable HTTP Trace & Track methods?The TRACE and TRACK protocols are HTTP methods used in the debugging of webserver connections.
Although these methods are useful for legitimate purposes, they may compromise the security of your server by enabling cross-site scripting attacks (XST). By exploiting certain browser vulnerabilities, an attacker may manipulate the TRACE and TRACK methods to intercept your visitors’ sensitive data. The solution for this is to disable these methods on your webserver.
By default this method is enabled in Apache.
Verification
Here is an example on how to check your webserver if HTTP TRACE is enabled.
[root@cluster2 ~]# telnet 127.0.0.1 80Trying 127.0.0.1...Connected to 127.0.0.1.Escape character is '^]'.TRACE / HTTP/1.1Host: 127.0.0.1Here Press ENTER twice!
HTTP/1.1 200 OKDate: Sat, 11 May 2013 14:46:59 GMTServer: Apache/2.2.3 (Red Hat)Connection: closeTransfer-Encoding: chunkedContent-Type: message/http
25TRACE / HTTP/1.1Host: 127.0.0.1
0
Connection closed by foreign host.
To disable TRACE and TRACK HTTP methods on your Apache-powered webserver, add the following directives to your main configuration file /etc/httpd/conf/httpd.conf
RewriteEngine onRewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
These directives disable the TRACE and TRACK methods via the following process:
RewriteEngine on — enables Apache’s rewrite module (this directive is not required if already present in your htaccess file)
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) — targets all TRACE and TRACK request methods for the following rule
RewriteRule .* - [F] — return a 403 Forbidden error response for all matched conditions (i.e., all TRACE and TRACK methods)
With these rules in place, your site is protected against one more potential security vulnerability
So add these 3 lines as shown below:
# vim /etc/httpd/conf/httpd.conf
<VirtualHost www.example.com>...# disable TRACE in the www.example.com virtual hostRewriteEngine onRewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)RewriteRule .* - [F]</VirtualHost>
Save & Exit
Note:If you have N number of Virtual Hosts configured, Then you need to do the same for all Virtual Hosts.mod_rewrite must be active for these directives to be accepted.
Now restart your apache service /etc/init.d/httpd restart
Here is an example on how to check your webserver if HTTP TRACE is disabled:
[root@cluster2 ~]# telnet 127.0.0.1 80Trying 127.0.0.1...Connected to localhost.localdomain (127.0.0.1).Escape character is '^]'.TRACE / HTTP/1.1Host: 127.0.0.1Here Press ENTER twice!
HTTP/1.1 403 ForbiddenDate: Sat, 11 May 2013 15:08:59 GMTServer: Apache/2.2.3 (Red Hat)Accept-Ranges: bytesContent-Length: 3985Connection: close
Also verify the apache access log file:
Before TRACE disable:
127.0.0.1 - - [11/May/2013:07:31:49 -0700] "TRACE / HTTP/1.1" 200 37 "-" "-"
After TRACE disable
127.0.0.1 - - [11/May/2013:08:04:51 -0700] "TRACE / HTTP/1.1" 403 3985
So Now your site is protected against one more potential security vulnerability...... :)