Disable Trace and Track for Better Security
The shared server on which I host Perishable Press was recently scanned by security software that revealed a significant security risk. Namely, the HTTP request methods TRACE and TRACK were found to be enabled on my webserver. The TRACE and TRACK protocols are HTTP methods used in the debugging of webserver connections.
Although these methods are useful for legitimate purposes, they may compromise the security of your server by enabling cross-site scripting attacks (XST). By exploiting certain browser vulnerabilities, an attacker may manipulate the TRACE and TRACK methods to intercept your visitors’ sensitive data. The solution, of course, is disable these methods on your webserver.
How to disable the TRACE and TRACK methods
To disable TRACE and TRACK HTTP methods on your Apache-powered webserver, add the following directives to either your main configuration file or root HTAccess file:
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]These directives disable the TRACE and TRACK methods via the following process:
RewriteEngine on— enables Apache’s rewrite module (this directive is not required if already present in your htaccess file)RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)— targets all TRACE and TRACK request methods for the following ruleRewriteRule .* - [F]— return a403 Forbiddenerror response for all matched conditions (i.e., all TRACE and TRACK methods)
With these rules in place, your site is protected against one more potential security vulnerability :)
27 responses to “Disable Trace and Track for Better Security”
Yes, definitely share the code if you end up with something. If I had the time, I would try to script something that did the job, but my free time is unbelievably scarce these days. It is difficult to choose among the many opportunities and possibilities that are available on the Web. If only I could clone myself..
Looks like this is in the 4G Blacklist. I just checked my .htaccess file and there it was. Cool.
Thanks – sent out a tweet.
I have the following in my .htaccess from the 4G Blacklist:
# FILTER REQUEST METHODS<IfModule mod_rewrite.c>RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]RewriteRule ^(.*)$ - [F,L]</IfModule>I am assuming, like John Hoff, that this has me covered. Am I correct?
Hi John, yep the 4G Blacklist includes these directives, so you’re covered. Thanks for the tweet :)
Hi Jordan, yes you are good to go. The reason for this article was to help those who may not have the 4G installed.
Jordan, remove
HEADfrom your list. This is a Good Thing.Let’s say, someone checks the links on his website to find and remove outdated URLs: His script will use
HEADto verify that the linked pages are still there. If your response code isn’t200the link will probably be removed.Forbidding
HEADmeans forbidding links from well maintained web sites.@Jeff and @Thomas,
Thanks guys, I really appreciate your shared knowledge.
I may have to agree with Thomas here. The
HEADrequest method was blocked in the 4G Blacklist to help thwart referrer spam and other malicious exploits. At the time, there seemed to be no benefits to keeping theHEADmethod, so it was blocked.With Thomas’ hypothetical link-checking scenario, there may be reason to permit
HEADrequests after all. This was something that I hadn’t thought of, but it certainly seems like a valid scenario. I will probably remove theHEADblock from the next, 5G Blacklist.In this case, I think the pros of allowing outweigh the pros of blocking.
Pretty agree with Thomas too, for the
HEAD.But
HEADcan also help to find the server version, if the owner set the server signature off.Hi Jeff! I would like to add this to my htaccess:
# FILTER REQUEST METHODSRewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) [NC]RewriteRule ^(.*)$ - [F,L]But I have already:
# BEGIN WordPressRewriteEngine OnRewriteBase /RewriteCond %{REQUEST_FILENAME} !-fRewriteCond %{REQUEST_FILENAME} !-dRewriteRule . /index.php [L]# END WordPressCan I have 2 or 3 different in the same htaccess?
Also, you say to put:
RewriteRule .* - [F]and Jordan put:RewriteRule ^(.*)$ - [F,L]So what does theLstand for? Should I put it or not?Thank you so much for your tips!!
Hi Nan, you can definitely add multiple blocks of HTAccess code into the same .htaccess file. It should work perfectly fine.
For the
[L]flag, it simply means that the rule is the “Last” rule for that particular set of directives. This is one way of keeping the different rulesets separate and distinct from one another.So yes, if you have multiple sets of rules, as in your case, you would want to include the
[L]flag to keep everything distinct.I hope this helps!
Limiting the allowed HTTP methods is great, but I think a whitelist approach is better :
RewriteCond %{REQUEST_METHOD} !^(HEAD|OPTIONS|GET|POST)$ [NC]RewriteRule .* - [F,L]If a developer then specifically requires another method in his program (eg.
PUT), deliberate action is required to enable it, which he should only take if he understands the need and implications.I ran some tests on (the servers of) my preferred hosting provider, and discovered that the
TRACEmethod still isn’t being disabled, even though a whitelist approach disables everything else (except the whitelisted methods of course)!!I’ve contacted them about it but thought I’d leave a comment here just to remind everyone to test (any and all) code once it’s in place, to make sure the code does what it’s supposed to!
Hope it helps someone.