TRACE HTTP method enabled
Description
The debug TRACE method was found to be enabled on the target web server. This HTTP method reflects HTTP request data back to the user in a response. In some circumstances this information may include sensitive data that is applied by intermediary proxies.
Remediation
The TRACE HTTP method is for debugging only and should not be enabled on production sites.
For Apache based web servers, ensure the TraceEnable
directive is either removed or set to
off
.
For Microsoft Servers, remove the registry parameter named “EnableTraceMethod” found in the below registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters
For all other server types, consult your product’s documentation on how to disable the TRACE method.
Details
ID | Aggregated | CWE | Type | Risk |
---|---|---|---|---|
16.11 | false | 16 | Active | high |
Links
Docs
Edit this page to fix an error or add an improvement in a merge request.
Create an issue to suggest an improvement to this page.
Product
Create an issue if there's something you don't like about this feature.
Propose functionality by submitting a feature request.
Feature availability and product trials
View pricing to see all GitLab tiers and features, or to upgrade.
Try GitLab for free with access to all features for 30 days.
Get help
If you didn't find what you were looking for, search the docs.
If you want help with something specific and could use community support, post on the GitLab forum.
For problems setting up or using this feature (depending on your GitLab subscription).
Request support