TRACE HTTP method enabled

Description

The debug TRACE method was found to be enabled on the target web server. This HTTP method reflects HTTP request data back to the user in a response. In some circumstances this information may include sensitive data that is applied by intermediary proxies.

Remediation

The TRACE HTTP method is for debugging only and should not be enabled on production sites.

For Apache based web servers, ensure the TraceEnable directive is either removed or set to off.

For Microsoft Servers, remove the registry parameter named “EnableTraceMethod” found in the below registry key:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters

For all other server types, consult your product’s documentation on how to disable the TRACE method.

Details

ID Aggregated CWE Type Risk
16.11 false 16 Active high