The TRACE method must be disabled.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-26325 | WA00550 W22 | SV-33183r1_rule | - | medium |
| Description | ||||
| Use the Apache TraceEnable directive to disable the HTTP TRACE request method. Refer to the Apache documentation for more details http://httpd.apache.org/docs/2.2/mod/core.html#traceenable. The HTTP 1.1 protocol requires support for the TRACE request method which reflects the request back as a response and was intended for diagnostics purposes. The TRACE method is not needed and is easily subject to abuse and should be disabled. | ||||
| STIG | Date | |||
| APACHE 2.2 Server for Windows Security Technical Implementation Guide | 2018-12-24 | |||
Details
Check Text (C-33183r1_chk)
Locate the Apache httpd.conf file.
Open the httpd.conf file with an editor such as Notepad, and search for the following uncommented directive: TraceEnable
For any enabled TraceEnable directives ensure they are part of the server level configuration (i.e. not nested in a <Directory> or <Location> directive). Also ensure that the TraceEnable directive is set to “Off”.
If the TraceEnable directive is not part of the server level configuration and/or is not set to “off” this is a finding. If the directive does not exist in the conf file this is a finding as the default value is "On".
Fix Text (F-29467r1_fix)
Disable the TraceEnable directive by setting it to "off".