TRACE Method enabled
Description
The HTTP TRACE method is enabled on the web server. This method instructs the server to echo back the exact request received, including all headers. While TRACE has legitimate debugging purposes, it can be exploited in cross-site tracing (XST) attacks to bypass HTTPOnly cookie protections and access sensitive header information such as authentication tokens when combined with client-side vulnerabilities.
Remediation
Disable the HTTP TRACE method on your web server. Implementation varies by server type:
Apache: Add the following to your httpd.conf or .htaccess file:
TraceEnable Off
Nginx: Add to your server configuration block:
if ($request_method = TRACE) {
return 405;
}IIS: Use the URL Rewrite module or add a custom handler in web.config:
<system.webServer>
<security>
<requestFiltering>
<verbs>
<add verb="TRACE" allowed="false" />
</verbs>
</requestFiltering>
</security>
</system.webServer>After making changes, restart the web server and verify the TRACE method is disabled by testing with:
curl -X TRACE https://your-server.comThe server should return a 405 Method Not Allowed or similar error response.