How to disallow or disable HTTP TRACE requests in httpd

Solution Verified - Updated -

Issue

  • How can I disallow http trace requests in Red Hat Enterprise Linux (RHEL)?
  • How can I test to see if httpd / apache is responding to trace requests?
  • My security team communicated that we are vulnerable to CVE-2004-2320 or CVE-2010-0386 how can I resolve this?
  • We are running EWS 2.0, our operations ran a security audit on our servers and confirm that we are vulnerable to Apache HTTP TRACE / TRACK Methods Allowed issue, How to fix it ?
  • Our security team reports the HTTP TRACE Method Enabled vulnerability; how is this addressed?
  • servers were identified with the TRACE and TRACK methods enabled. TRACE and TRACK are two HTTP methods used to debug web applications. These methods could be leveraged by malicious users to perform Cross-site Tracing attacks which are used to bypass authentication token protections.

Environment

  • Apache HTTP Server (httpd) as shipped in:
    • Red Hat Enterprise Linux (RHEL)
    • Red Hat Software Collections (RHSCL)
    • Red Hat JBoss Web Server (EWS/JWS)

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content