Apache: Disabling TRACK and TRACE Methods

By default Apache supports a number of HTTP methods in addition to the ones we normally use – GET (to get objects) and PUSH (to push form data although you can send form data with GET too). These additional methods are mostly harmless, but two do leak information about a server that you may not want an attacker to know.

Fortunately turning this off is a single line configuration change; simply add the following to one of the Apache configuration files :-

  TraceEnable off

And you will be protected (and won’t receive any more nasty messages about that bit of configuration).

You can make this change in almost any of the files commonly found under /etc/apache2 but two possible locations where it is ready to go are :-

  1. For Ubuntu/Debian-derived Linux systems, look at /etc/apache2/conf-enabled/security.conf (it is present but commented out)
  2. For SLES-derived Linux systems, add the line to /etc/apache2/conf.d/local.conf

Of course with any Apache change you will need to restart it (and preferably in a safe manner) :-

✓ root@pm-log2# apachectl configtest
Syntax OK
✓ root@pm-log2# apachectl graceful  


This entry was posted in Technical and tagged , . Bookmark the permalink.