Apache Hardening Tutorial : Disable HTTP Trace

Disable HTTP Trace


What is HTTP Trace ? Apache Hardening Tutorial

This article is part of the Apache Hardening and Securing tutorial series. This time we will be taking a look on HTTP Trace find how to check if you are vulnerable and how to fix it.


If your webserver has the HTTP Trace enabled this going to put it into a risk of Cross-Site Tracing and use of Cross-site Scripting (XSS).

TRACE: This method simply echoes back to the client whatever string has been sent to the server, and is used mainly for debugging purposes.

The TRACE method, while it looks fine, it can be used in some scenarios to steal customers' credentials. It allows the client to see what is being received at the other end of the request.

This attack method was first discovered in 2003.

Find if your Web-server is Vulnerable

To check if the trace is enabled by default or not disabled you can use curl for that.
-k To perform insecure connection.

-X Use specified proxy

curl -k -X TRACE https://ip.ip.ip.ip/

If the HTTP Trace is enabled you will be getting something similar to below output and means that you are vulnerable to cross site tracing.

TRACE /phpinfo.php HTTP/1.1
User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
Host: ip.ip.ip.ip
Accept: */*

Disable HTTP Trace and Secure your Web-server

vi /etc/httpd/conf/httpd.conf


TraceEnable Off


service httpd restart

After disabling HTTP Trace try the curl command to check the status:

Expected output:

<title>403 Forbidden</title>
<p>You don't have permission to access /phpinfo.php
on this server.</p>
<address>Apache/2.2.3 (Red Hat) Server at ip.ip.ip.ip Port 443</address>


Subscribe to
for video tutorials updates