Nasser Heidari


Disabling HTTP TRACE method in Apache and IIS

Filed under: Linux,Security Tips and Issues — Nasser Heidari @ 05:57


Traditionally experts will suggest to disable this using some rewrite rules like:

RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F]

(this needs to be added somewhere in your main apache config file outside of any vhost or directory config).

Still this has the disadvantage that you need to have mod_rewrite enabled on the server just to mention one.
But for apache versions newer than 1.3.34 for the legacy branch, and 2.0.55 (or newer) for apache2 this can be done very easily,
because there is a new apache variable that controls if TRACE method is enabled or not:

TraceEnable off

This needs to be added in the main server config and the default is enabled (on).
TraceEnable off causes apache to return a 403 FORBIDDEN error to the client.

Microsoft IIS

In Microsoft Windows TRACE is controlled by a registry key.
Create a DWORD value called EnableTraceMethod in


This should be 1 for on, and 0 for off.



  1. Thanks, It was helpful.

    Comment by Navid — 2010-09-12 @ 17:09

  2. This is real security information
    Keep it up!!!!

    Comment by Bhushan Somvanshi — 2011-06-02 @ 16:00

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: