TRACE Method Allowed

Impact: Low


HTTP TRACE method allows a client to see the whole request that the webserver has received. The main purpose of this feature is for testing or diagnostic information. This method can reveal sensitive information like Cookies and Authorization tokens to clients when they’re not supposed to access these data. This is often called a Cross-Site Tracing (XST) attack.


Disable the TRACE method in the webserver configuration. For the Apache web server, add the below line to the main configuration file.

TraceEnable off

For Microsoft IIS open ISS Manager, go to Request Filtering, and change the configuration for TRACK and TRACE verbs in HTTP Verbs.


Last updated on March 09, 2021

Use SmartScanner Free version to test for this issue