Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-26325 | WA00550 W22 | SV-33183r1_rule | Medium |
Description |
---|
Use the Apache TraceEnable directive to disable the HTTP TRACE request method. Refer to the Apache documentation for more details http://httpd.apache.org/docs/2.2/mod/core.html#traceenable. The HTTP 1.1 protocol requires support for the TRACE request method which reflects the request back as a response and was intended for diagnostics purposes. The TRACE method is not needed and is easily subject to abuse and should be disabled. |
STIG | Date |
---|---|
IIS 7.0 Server STIG | 2019-03-22 |
Check Text ( C-33815r1_chk ) |
---|
Locate the Apache httpd.conf file. Open the httpd.conf file with an editor such as Notepad, and search for the following uncommented directive: TraceEnable For any enabled TraceEnable directives ensure they are part of the server level configuration (i.e. not nested in a If the TraceEnable directive is not part of the server level configuration and/or is not set to “off” this is a finding. If the directive does not exist in the conf file this is a finding as the default value is "On". |
Fix Text (F-29467r1_fix) |
---|
Disable the TraceEnable directive by setting it to "off". |