How to Disable HTTP TRACE Method for Apache, IIS, sunOne, and Lotus Domino

Posted on IT Expert By IT Expert No Comments on How to Disable HTTP TRACE Method for Apache, IIS, sunOne, and Lotus Domino
Disable HTTP TRACE Method

The HTTP TRACE method is normally used to return the full HTTP request back to the requesting client for proxy-debugging purposes. An attacker can create a webpage using XMLHTTP, ActiveX, or XMLDOM to cause a client to issue a TRACE request and capture the client’s cookies. This effectively results in a Cross-Site Scripting attack. In this post, I will be explaining how to disable HTTP trace method for Apache, IIS, SunOne, and Lotus Domino.

Kindly refer to some of these interesting guides: How to install and configure FTP server on Windows 10, Event ID 5059: Application pool has been disabled or Changing identity user for IIS Application Pool, and how to Disable HTTP TRACE Method for Apache, IIS, sunOne, and Lotus Domino. These steps were tested on Windows Server 2019, and 2022. Please refer to the guide on how to resolve this concern: Warning: FTP over TLS is not enabled, users cannot securely log in: You appear to be behind a NAT Router, please configure the passive mode settings and forward a range of ports in your router.

Disable HTTP TRACE Method for Apache
Newer versions of Apache (1.3.34 and 2.0.55 and later) provide a configuration directive called TraceEnable.

Consequently, To deny TRACE requests, add the following line to the server configuration:
TraceEnable off

Furthermore, For older versions of the Apache webserver, use the mod_rewrite module to deny the TRACE requests:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

Disable HTTP TRACE Method for Microsoft IIS
Nonetheless, For Microsoft Internet Information Services (IIS), you may use the URLScan tool, freely available at this link.

Disable HTTP TRACE Method for SunONE/iPlanet
However, For Sun ONE/iPlanet Web Server v6.0 SP2 and later, add the following configuration to the top of the default object in the ‘obj.conf’ file: 

< Client method="TRACE" >
AuthTrans fn="set-variable"
remove-headers="transfer-encoding"
set-headers="content-length: -1"
error="501"
< /Client >

Disable HTTP TRACE Method for Domino
In addition, Follow IBM’s instructions for disabling HTTP methods on the Domino server by adding the following line to the server’s NOTES.INI file:
HTTPDisableMethods=TRACE
After saving NOTES.INI, restart the Notes web server by issuing the console command "tell http restart"

Moreover, Following the steps above should help, and it should not be captured during penetration testing on your servers.

Rate this post
Web Server Tags:

Related Posts

More Related Articles

Install FileZilla Client FileZilla Client on Mac: How to Transfer Files to WordPress via SFTP Mac
CAL Removal How to Remove and Manage RDS Licenses Web Server
Remote Desktop 2 1 How to install RDS via Quick Start Deployment: Install, Publish, Update, and Uninstall Remote Desktop Web Client Web Server
Screenshot 2022 03 21 at 18.06.30 How to Configure Virtual Host for Apache HTTP Web Server to Host Several Domains on Ubuntu 20.04 LTS Linux
Azure VM Creation With CLI 1 Deploy a Linux virtual machine (VM) on Azure using the Azure CLI AWS/Azure/OpenShift
Secure Web Server How to secure a Web Server on a Windows VM in Azure using TLS/SSL Certificates Saved in Azure Key Vault AWS/Azure/OpenShift

Leave a Reply