Disabling HTTP TRACE method in Apache - Security

This is a discussion on Disabling HTTP TRACE method in Apache - Security ; Greetings, I am trying to disable the HTTP TRACE method in Apache. For that I add the following configuration lines in httpd.conf RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F] After that I tried to check whether TRACE method ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Disabling HTTP TRACE method in Apache

  1. Disabling HTTP TRACE method in Apache

    Greetings,

    I am trying to disable the HTTP TRACE method in Apache.
    For that I add the following configuration lines in httpd.conf



    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^TRACE
    RewriteRule .* - [F]


    After that I tried to check whether TRACE method is disabled or
    not.
    using the following commands.

    telnet 172.16.16.25 80
    Trying 172.16.16.25...
    Connected to 172.16.16.25 (172.16.16.25).
    Escape character is '^]'.
    TRACE / HTTP/1.1
    Host: 172.16.16.25

    HTTP/1.1 200 OK
    Date: Tue, 26 Feb 2008 21:06:29 GMT
    Server: Apache
    Transfer-Encoding: chunked
    Content-Type: message/http

    28
    TRACE / HTTP/1.1
    Host: 172.16.16.25

    0

    Connection closed by foreign host.

    The output confirms that TRACE method was not disabled.
    Please clarify me how to disable HTTP TRACE method.
    I am using the following Apache version

    Server version: Apache/2.2.8 (Unix)
    Server built: Feb 18 2008 12:23:43

    With Thanks in Advance.

    regards
    zaman




  2. Re: Disabling HTTP TRACE method in Apache

    On 26.02.2008, bzaman wrote:
    > Greetings,
    >
    > I am trying to disable the HTTP TRACE method in Apache.
    > For that I add the following configuration lines in httpd.conf
    >
    >
    >
    > RewriteEngine On
    > RewriteCond %{REQUEST_METHOD} ^TRACE
    > RewriteRule .* - [F]
    >


    And why don't you simply disable this method ( directive
    with mod_access) instead of messing with mod_rewrite?

    --
    Secunia non olet.
    Stanislaw Klekot

  3. Re: Disabling HTTP TRACE method in Apache

    On Tue, 26 Feb 2008 03:54:58 -0800 (PST)
    bzaman wrote:

    > I am trying to disable the HTTP TRACE method in Apache.


    TraceEnable Off


    Regards,
    Ertugrul.


    --
    http://ertes.de/


+ Reply to Thread