TRACE HTTP method enabled


The debug TRACE method was found to be enabled on the target web server. This HTTP method reflects HTTP request data back to the user in a response. In some circumstances this information may include sensitive data that is applied by intermediary proxies.


The TRACE HTTP method is for debugging only and should not be enabled on production sites.

For Apache based web servers, ensure the TraceEnable directive is either removed or set to off.

For Microsoft Servers, remove the registry parameter named “EnableTraceMethod” found in the below registry key:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters

For all other server types, consult your product’s documentation on how to disable the TRACE method.


ID Aggregated CWE Type Risk
16.11 false 16 Active high