Apache: Disable TRACE and TRACK methods

Lots of PCI Compliance and vulnerability scan vendors will complain about TRACE and TRACK methods being enabled on your server. Since most providers run Nessus, you'll see this fairly often. Here's the rewrite rules to add:

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

These directives will need to be added to each VirtualHost.

Further reading:
Apache Debugging Guide

This entry was posted on 28/08/2007 (Tuesday) at 6:27 pm and is filed under Blog Posts. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.
Printed from: http://rackerhacker.com/2007/08/28/apache-disable-trace-and-track-methods/ .
© Major Hayden 2012.

2 Comments   »

  • ace says:
    29.08.07 at 13:34

    For apache version 1.3.34 (or later 1.3.x versions), or apache 2.0.55 (or later), this has been made easy. Just add the line TraceEnable off

  • Kirrus says:
    28.06.11 at 06:35

    You can also add this rewrite directive to your main apache configuration, in which case it will be deployed against all your vHosts.


Trackbacks/Pingbacks

  1. Racker Hacker » Posts In Progress » Plesk: Disabling TRACE/TRACK methods globally

RSS feed for comments on this post

Leave a Reply

 

  • Welcome! I started this blog as a way to give back to all of the other system administrators who have taught me something in the past. Writing these posts brings me a lot of enjoyment and I hope you find the information useful. If you spot something that's incorrect or confusing, please write a comment and let me know. Drop me a line if there's something you want to know more about and I'll do my best to write a post on the topic.
    -- Major Hayden

    Flattr this