How to Disable HTTP TRACE Method in Apache?

The HTTP TRACE method is a built-in diagnostic feature used to echo back the received request to the client, but it poses a significant security risk by exposing sensitive data like cookies and headers via Cross-Site Tracing (XST) attacks. Securing your web server requires disabling this method to protect user data and meet compliance standards like PCI-DSS. This guide provides a straightforward, step-by-step walkthrough on how to quickly disable the TRACE method across your Apache server configuration.

Step 1: Locate Your Apache Configuration File

Depending on your operating system, the main Apache configuration file is located in different directories. You will need root or sudo privileges to edit these files.

Step 2: Modify the Configuration File

Open the configuration file using a text editor like nano or vi. For example, on Ubuntu, run:

sudo nano /etc/apache2/apache2.conf

Scroll to the bottom of the file or look for the global server directives, and add the following line:

TraceEnable off

Note: If you only want to disable TRACE for a specific website rather than the entire server, you can place the TraceEnable off directive inside a specific <VirtualHost> block instead of the global configuration.

Step 3: Verify and Restart Apache

Before applying the changes, it is best practice to test the Apache configuration syntax to ensure there are no errors.

# For Ubuntu/Debian
sudo apache2ctl configtest

# For CentOS/RHEL
sudo httpd -t

If the output returns Syntax OK, restart the Apache service to apply the new security settings:

# For Ubuntu/Debian
sudo systemctl restart apache2

# For CentOS/RHEL
sudo systemctl restart httpd

Step 4: Verify the Changes

You can verify that the TRACE method has been successfully disabled by using a simple curl command from your terminal:

curl -v -X TRACE http://localhost

If the configuration was successful, the server will refuse the request and return a 405 Method Not Allowed or 403 Forbidden status code instead of echoing back your request headers.