Disable Trace and Track<\/p>\n
A server on which I recently scanned with security software that revealed a significant security risk. Namely, the HTTP request methods TRACE and TRACK were found to be enabled on my webserver. The TRACE and TRACK protocols are HTTP methods used in the debugging of webserver connections.<\/p>\n
Although these methods are useful for legitimate purposes, they may compromise the security of your server by enabling cross-site scripting attacks (XST). By exploiting certain browser vulnerabilities, an attacker may manipulate the TRACE and TRACK methods to intercept your visitors\u2019 sensitive data. The solution, of course, is disable these methods on your webserver.<\/p>\n
How to disable the TRACE and TRACK methods<\/p>\n
To disable TRACE and TRACK HTTP methods on your Apache-powered webserver, add the following directives to either your main configuration file or root HTAccess file:<\/p>\n
RewriteEngine on
\nRewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
\nRewriteRule .* – [F]<\/p>\n
These directives disable the TRACE and TRACK methods via the following process:<\/p>\n
* RewriteEngine on \u2014 enables Apache\u2019s rewrite module (this directive is not required if already present in your htaccess file)
\n * RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) \u2014 targets all TRACE and TRACK request methods for the following rule
\n * RewriteRule .* – [F] \u2014 return a 403 Forbidden error response for all matched conditions (i.e., all TRACE and TRACK methods)<\/p>\n
With these rules in place, your site is protected against one more potential security vulnerability <\/p>\n","protected":false},"excerpt":{"rendered":"
Disable Trace and Track A server on which I recently scanned with security software that revealed a significant security risk. Namely, the HTTP request methods TRACE and TRACK were found to be enabled on my webserver. The TRACE and TRACK protocols are HTTP methods used in the debugging of webserver connections. Although these methods are… <\/p>\n