How to test and disable TRACE requests in Apache

Posted on July 23, 2012 by admin

Some PCI compliance tests may fail due to “TRACE” being allowed on the web server.
To test whether your web server allows TRACE, do this:

telnet 127.0.0.1 80
TRACE / HTTP/1.0
Host: www.whatever.com
[CR] ( blank line with carriage return only)

Instead of ‘[CR]’, enter a blank line after the “Host: whatever” line. If your server outputs some information including the same ‘Host: whatever’ that you entered, you are “vulnerable”.

To disable this vulnerability, add this to the apache httpd.conf “Main server configuration” section:

# Disable Trace requests:
TraceEnable off

Then restart apache. The test above should return a document stating “405 Method Not Allowed” – you are now in compliance (for this test at least!)

This entry was posted in Uncategorized. Bookmark the permalink.

1 Response to How to test and disable TRACE requests in Apache

Leave a Reply

Your email address will not be published. Required fields are marked *