Thursday, January 26, 2017

Disabling TRACE Command in Apache Server - 2.4 above

Note : Bellow approach is tested for Apache 2.4.6 under Red Hat Enterprise Linux 

Steps : 

1. Check whether you able to create fake cookie in web server.

    Command : curl -X TRACE -H "Cookie: name=Test by saminda" http://your web server/ 

2. If TRACE is disabled, then it should display like similar to bellow

Method Not Allowed

3. If TRACE is enabled, Then it will show HTML content of index.html

4. If the command shows HTML content of index.html, then add bellow line to beginning of httpd.conf

TraceEnable off

5. Reload the Apache web server.

Thank you