Security Tip: Disable the HTTP TRACE method in Apache

Security Tip: Disable the HTTP TRACE method in Apache

Ron Peled 10:57 am

If you are running a multi-million dollar eCommerce site you may want to make sure that the HTTP TRACE method is disabled. By default this method is enabled in Apache, and if enabled it allows for Cross Site Tracing Issue and potentially giving the option to a hacker to steal your cookie information from a specific website so later they can impose as you.

To fix this I followed the simple instructions given by Marius Ducea, a Linux Admin Blgger. In Short, the way to address this security issue is by disabling the TRACE HTTP method in Apache. You can do so by adding this directive in a general area of your /etc/httpd/conf/httpd.conf file:

TraceEnable off

Then restart Apache to make sure that everything is working ok. Done.

Related Posts:

Ron Peled

About Ron Peled

Builder of things. Builder of teams. Passion: eCommerce & Marketplaces. Magento expert. CTO Mentor.

One Comment

  • I was using TRACE HTTP to trace various things on my Linux box but thank you for opening my eyes that TRACE can be used as spoofing and hacking. I am going to disable this right away.