Skip to content

Apache Tips: Disable the HTTP TRACE method


Most vulnerability scanners will complain about TRACE method being enabled on the web server tested. This tip disable it and return a 403 FORBIDDEN error to the client (apache versions newer than 1.3.34 for the legacy branch, and 2.0.55 for apache2).

This needs to be added in the main server config and the default is enabled (on):

TraceEnable Off