The TRACE method must be disabled.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-26325 | WA00550 | WA00550 W22 | SV-33183r1_rule | 2018-12-24 | 1 |
Description
Use the Apache TraceEnable directive to disable the HTTP TRACE request method. Refer to the Apache documentation for more details http://httpd.apache.org/docs/2.2/mod/core.html#traceenable. The HTTP 1.1 protocol requires support for the TRACE request method which reflects the request back as a response and was intended for diagnostics purposes. The TRACE method is not needed and is easily subject to abuse and should be disabled.
ℹ️ Check
Locate the Apache httpd.conf file.
Open the httpd.conf file with an editor such as Notepad, and search for the following uncommented directive: TraceEnable
For any enabled TraceEnable directives ensure they are part of the server level configuration (i.e. not nested in a <Directory> or <Location> directive). Also ensure that the TraceEnable directive is set to “Off”.
If the TraceEnable directive is not part of the server level configuration and/or is not set to “off” this is a finding. If the directive does not exist in the conf file this is a finding as the default value is "On".
✔️ Fix
Disable the TraceEnable directive by setting it to "off".